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(http://dev.mysql.com/doc/). 


For overview of MySQL and for information about configuring it with Novell Cluster Services, see 
“Configuring MySQL with Novell Cluster Services” in the OES 11 SP3: Web Services and 
Applications Guide. 


PostgreSQL 


The more powerful PostgreSQL database server also comes with SLES 11. See the PostgreSQL 
documentation on the Web (http://www.postgresql.org/docs/8.3/interactive/index.html). 


Novell Archive and Version Services uses PostgreSQL for its Archive database. 


13.3.2 NetWare 6.5 SP8 


NetWare 6.5 SP8 supports both the NetWare Traditional file system and Novell Storage Services 
(NSS). 


+ “NetWare Traditional File System" on page 198 
+ “NSS Volumes" on page 198 
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13.3.3 


NetWare Traditional File System 


Although NetWare 6.5 SP8 supports Traditional volumes, you must upgrade them to NSS before 
upgrading from NetWare to OES. 


NSS Volumes 


To support data migration, NSS volumes are cross-compatible between NetWare and OES servers. 
During a cluster conversion from NetWare 6.5 SP8 to OES, clustered NSS pools that were originally 
created on a NetWare server can fail over between kernels, allowing for full data and file system 
feature preservation when migrating data to OES. For information, see the OES 11 SP3: Novell 
Cluster Services NetWare to Linux Conversion Guide. 


For additional information about coexistence and migration of NSS volumes, as well as access 
control issues for NSS on OES, see “Migrating NSS Devices to OES 11 SP3” in the OES 11 SP3: 
NSS File System Administration Guide for Linux. 


OES 11 SP3 File System Options 


OES 11 SP3 provides support for Novell Storage Services (NSS) as well as Linux POSIX file 
systems. 

* “NSS Volumes" on page 198 

¢ "Linux POSIX File Systems" on page 198 


NSS Volumes 


To support migration from NetWare to OES, NSS volumes are cross-compatible between NetWare 
and Linux. 


On OES, you can use NSS volumes only as data volumes. 


You configure NSS pools and volumes in iManager or NSSMU after the server installation completes 
successfully. You can also use the Novell Linux Volume Manager (NLVM) command line interface. 


Starting with NetWare 6.5 SP4 (and OES 1), a new metadata structure provided enhanced support 
for hard links. After you upgrade your operating system to OES, you must upgrade the media format 
in order to use the new metadata structure; some restrictions apply. For more information, see 
"Upgrading the NSS Media Format” in the OES 11 SP3: NSS File System Administration Guide for 
Linux. 


For additional information about coexistence and migration of NSS volumes, as well as access 
control issues for NSS on Linux, see “Cross-Platform Issues for NSS” in the OES 11 SP3: NSS File 
System Administration Guide for Linux. 


Linux POSIX File Systems 


IMPORTANT: Users can access data storage on OES 11 SP3 servers through a number of methods. 
For more information, see “Overview of File Services” on page 245. 
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13.4 


13.4.1 


13.4.2 


OES 11 SP3 includes tools and services that help bridge the gap between traditional Novell file 
services and Linux POSIX file services. 


+ “Management Tools" on page 199 
* “NCP Server” on page 199 


* "Novell Cluster Services” on page 199 


Management Tools 


Using NSSMU and the Novell Linux Volume Manager (NLVM) command line interface, you can 
create native Linux POSIX volumes and standalone or clustered Linux Logical Volume Manager 2 
(LVM2) volume groups and logical volumes. 


NCP Server 


OES 11 SP3 includes NCP Server for Linux. After you create native Linux POSIX volumes, you can 
use NCP Server to create NCP shares on them. You can then manage the shares as NCP volumes. 


This lets Novell Client users map drives to Linux POSIX file system data, with access controls being 
enforced by NCP. For more information on using NCP Server for Linux in OES, see the OES 11 SP3: 
NCP Server for Linux Administration Guide. 


Novell Cluster Services 


For information about clustering LVM2 volume groups with Novell Cluster Services, see "Configuring 
and Managing Cluster Resources for Shared LVM Volume Groups" in the OES 11 SP3: Novell Cluster 
Services for Linux Administration Guide. 


Configuring and Maintaining Storage 


¢ Section 13.4.1, "Managing Directories and Files," on page 199 
¢ Section 13.4.2, “Managing NSS,” on page 199 
* Section 13.4.3, "Optimizing Storage Performance," on page 201 


Managing Directories and Files 
To learn about managing directories and files on an OES 11 SP3 server, see "Understanding 


Directory Structures in Linux POSIX File Systems" in the OES 11 SP3: File Systems Management 
Guide. 


Managing NSS 


Use the links in Table 13-3 to find information on the many management tasks associated with NSS 
volumes. 
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Table 13-3 NSS Management 


Category/Feature 


Archive and Version 
Services 


Description 


Use Archive and Version Services with 
NSS volumes to save interval-based 
copies of files that can be conveniently 
restored by administrators and users. 


Link 


OES 11 SP3: Novell Archive and Version 
Services Administration Guide 


Compression 


Conserve disk space and increase the 
amount of data a volume can store. 


“Managing Compression on NSS 
Volumes” in the OES 11 SP3: NSS File 
System Administration Guide for Linux 


Console Commands 


Manage NSS volumes in an OES terminal 


console via the NSS Console (nsscon) 
utility. 


You can also issue Novell Linux Volume 
Manager (NLVM) command line 
commands at the console prompt and in 
scripts. 


“NSS Commands” and “NSS Utilities” in 
the OES 11 SP3: NSS File System 
Administration Guide for Linux 


Distributed File 
Services (DFS) 


Use DFS junctions to transparently 


redirect data requests, split volumes while 


maintaining transparent access, and 
quickly move volume data to another 
volume. 


OES 11 SP3: Novell Distributed File 
Services Administration Guide for Linux 


Encryption Create and manage encrypted NSS “Managing Encrypted NSS Volumes” in 
volumes that make data inaccessible to the OES 11 SP3: NSS File System 
software that circumvents normal access Administration Guide for Linux 
control. 

Hard Links Create multiple names for a single file in “Managing Hard Links” in the OES 11 
the same or multiple directories in an NSS SP3: NSS File System Administration 
volume. Guide for Linux 

Monitoring Monitor NSS file systems. “Monitoring the Status of the NSS File 


System and Services” in the OES 11 
SP3: NSS File System Administration 
Guide for Linux 


Multipath Support on 
Linux 


Use Linux Device Mapper Multipath I/O 
tools to manage the dynamic, multiple, 
redundant connection paths between a 
Linux server and its external storage 
devices. 


“Managing Multipath I/O to Devices” in 
the OES 11 SP3: NSS File System 
Administration Guide for Linux 


Novell Linux Volume 
Manager 


NLVM provides a command line interface 


that lets you manage the NSS file system 


at a terminal console or by using a script. 
It also provides APIs that are used by the 
NSSMU and iManager storage 
management tools. 


OES 11 SP3: NLVM Reference 


Partitions Manage partitions on NSS volumes. “Managing Partitions” in the OES 11 
SP3: NSS File System Administration 
Guide for Linux 

Pools Create and manage NSS pools. “Managing NSS Pools” in the OES 11 
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SP3: NSS File System Administration 
Guide for Linux 


13.4.3 


Category/Feature 


Description 


Link 


Pool Move You can move the contents of a pool from “Move” in the OES 11 SP3: NLVM 
one location to another on the same Reference 
system. The destination location can be 
made up of one or multiple devices. Ifthe “Moving a Pool” in the OES 11 SP3: NSS 
new location is larger than the original File System Administration Guide for 
location, the pool is automatically Linux 
expanded after the move is complete. 

Quotas Set space restrictions for users and “Managing Space Quotas for Volumes, 


directories to control storage usage. 


Directories, and Users” in the OES 11 
SP3: NSS File System Administration 
Guide for Linux 


Salvage subsystem 


Use the salvage subsystem to make 
deleted files and directories available for 
undelete or purge actions. 


“Salvaging and Purging Deleted 
Volumes, Directories, and Files” in the 
OES 11 SP3: NSS File System 
Administration Guide for Linux 


Tools 


Learn about the various tools available to 
manage NSS volumes, the tool 
capabilities, and how to use them. 


“Management Tools for NSS” in the OES 
11 SP3: NSS File System Administration 
Guide for Linux 


Troubleshooting 


Troubleshoot NSS on OES and NetWare 
6.5 SP8. 


“Troubleshooting the NSS File System” 
in the OES 11 SP3: NSS File System 
Administration Guide for Linux 


File System Trustees 
and Attributes 


Control user access to data by setting 
trustees, trustee rights, and inherited 
rights filters for files. Control file behavior 
by setting file and folder attributes. 


"Configuring File System Trustees, 
Trustee Rights, Inherited Rights Filters, 
and Attributes" in the OES 11 SP3: NSS 
File System Administration Guide for 
Linux 


Volumes 


Create and manage NSS volumes in NSS 


pools. 


Optimizing Storage Performance 


"Managing NSS Volumes" in the OES 11 
SP3: NSS File System Administration 
Guide for Linux 


See "Tuning NSS Performance" in the OES 11 SP3: NSS File System Administration Guide for Linux. 
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14.1 


eDirectory, LDAP, and Domain Services 
for Windows 


This section discusses the following topics: 


¢ Section 14.1, "Overview of Directory Services,” on page 203 
¢ Section 14.2, “eDirectory,” on page 204 

¢ Section 14.3, "LDAP (eDirectory),” on page 205 

¢ Section 14.4, “Domain Services for Windows,” on page 206 


Overview of Directory Services 


Storing and managing network identities in directory services is a fundamental expectation for 
networking. 


In the simplest terms, NetIQ eDirectory is a tree structure containing a list of objects (or identities) that 
represent network resources, such as the following: 

* Network users 

* Servers 

* Printers 

* Applications 
eDirectory is designed to provide easy, powerful, and flexible management of network resources 


(including eDirectory itself) in ways that no other directory service can match. You can administer 
eDirectory through the same browser-based tools on both OES and NetWare. 


For more information, see Chapter 14, "eDirectory, LDAP, and Domain Services for Windows," on 
page 203. 
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Figure 14-1 eDirectory Overview 
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NetIQ eDirectory is the central, key component of Novell Open Enterprise Server (OES) and provides 
the following: 


* Centralized identity management 
* The underlying infrastructure for managing your network servers and the services they provide 


* Access security both within the firewall and from the Web 
This section discusses the following tasks: 


¢ Section 14.2.1, "Installing and Managing eDirectory on OES,” on page 204 
¢ Section 14.2.2, “Planning Your eDirectory Tree,” on page 205 


¢ Section 14.2.3, “eDirectory Coexistence and Migration,” on page 205 


14.2.1 Installing and Managing eDirectory on OES 


The tools you can use to install and manage eDirectory on OES are outlined in the following sections. 


¢ “OES Installation Programs” on page 204 
+ “iManager” on page 205 


OES Installation Programs 


OES requires that eDirectory be installed by using the YaST-based OES install. 
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14.2.2 


14.2.3 


14.3 


IMPORTANT: Other utilities, such as ndsconfig and ndsmanage, are not supported for installing or 
removing eDirectory on OES servers, unless explicitly called for in OES-specific instructions. 


iManager 


iManager is the OES eDirectory management tool and is used for all eDirectory management and 
most OES component management tasks, including the following: 


* Creating eDirectory objects, including User and Group objects 
* Managing eDirectory objects 
¢ Configuring and managing OES service component controls in eDirectory 


* Accessing other OES component management tools 


For information on using iManager, see the Net/Q® iManager Administration Guide. 


Planning Your eDirectory Tree 


If you don't have eDirectory installed on your network, it is critical that you and your organization take 
time to plan and design your eDirectory tree prior to installing OES. 


If you are new to eDirectory, the OES 11 SP2: Getting Started with OES 11 and Virtualized NetWare 
provides an introduction to eDirectory planning that you might find useful for getting started with 
eDirectory. 


For detailed information on getting started using eDirectory, see "Designing Your NetIQ eDirectory 
Network" in the Net/Q eDirectory 8.8 SP8 Installation Guide. 


To learn what's new in eDirectory 8.8, see the NetIQ eDirectory 8.8 SP8 What's New Guide. 


eDirectory Coexistence and Migration 


Novell Directory Services (NDS) was introduced with NetWare 4.0. The successor to NDS, NetIQ 
eDirectory, is also available for Microsoft Windows, Red Hat, and SUSE versions of Linux, as well as 
various flavors of UNIX (Solaris, AIX, and HP-UX). 


As eDirectory has evolved, backward compatibility issues have arisen. For example, moving from 
NetWare 4.x to 5.x involved not only upgrading NDS, but also moving from IPX to TCP/IP. This 
transition brought significant changes to the core schema and security-related components. Novell 
has consistently provided the migration tools and support required to migrate to new eDirectory 
versions. 


OES 11 SP3 includes eDirectory 8.8. For those upgrading an existing NetWare 6.5 SP6 server, 
eDirectory 8.7.3 is still available. New NetWare installations require eDirectory version 8.8. 


For complete coexistence and migration information and instructions, see “Migrating to eDirectory 8.8 
SP8” in the NetiQ eDirectory 8.8 SP8 Installation Guide. 


LDAP (eDirectory) 


This section contains information about LDAP support in OES. 


¢ Section 14.3.1, "Overview of eDirectory LDAP Services,” on page 206 
¢ Section 14.3.2, “Planning eDirectory LDAP Services,” on page 206 
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14.3.1 


14.3.2 


14.3.3 


14.3.4 


14.4 


¢ Section 14.3.3, “Migration of eDirectory LDAP Services,” on page 206 
* Section 14.3.4, “eDirectory LDAP Implementation Suggestions," on page 206 


Overview of eDirectory LDAP Services 


Lightweight Directory Access Protocol (LDAP) Services for NetIQ eDirectory is a server application 
that lets LDAP clients access information stored in eDirectory. 


Most OES services leverage the LDAP server for eDirectory for authentication, as illustrated in the 
service overviews in this guide. 


Planning eDirectory LDAP Services 


LDAP for eDirectory provides LDAP authentication for the objects stored in eDirectory. As you plan 
your eDirectory tree, be sure you understand the information in “Understanding LDAP Services for 
NetIQ eDirectory” in the NetIQ eDirectory 8.8 SP8 Administration Guide. 


Migration of eDirectory LDAP Services 


If you have users in an OpenLDAP database and you want to migrate them to eDirectory, you can 
use the Novell Import Conversion Export (ICE) utility. For more information, see "NetlO eDirectory 
Management Utilities" in the Net/Q eDirectory 8.8 SP8 Administration Guide. 


eDirectory LDAP Implementation Suggestions 


OES service LDAP support requires no additional setup or configuration beyond the OES install. 


For help with setting up and using LDAP for eDirectory for other purposes, you can refer to 
“Configuring LDAP Services for NetIQ eDirectory” in the NetIQ eDirectory 8.8 SP8 Administration 
Guide. 


Domain Services for Windows 


Novell Domain Services for Windows (DSfW) allows eDirectory users on Windows workstations to 
access storage on both OES servers and Windows servers through native Windows and Active 
Directory authentication and file service protocols. 


DSfW enables companies with Active Directory and NetIQ eDirectory deployments to achieve better 
coexistence between the two platforms. 


* Users can work in a pure Windows desktop environment and still take advantage of some OES 
back-end services and technology, without the need for a Novell Client™ or even a matching 
local user account on the Windows workstation. 


* Network administrators can use Microsoft Management Console (MMC) to administer users and 
groups within the DSfW domain, including their access rights to Samba-enabled storage on OES 
servers. 


This section discusses the following: 


¢ Section 14.4.1, "Graphical Overview of DSfW,” on page 207 
¢ Section 14.4.2, “Planning Your DSfW Implementation," on page 210 
¢ Section 14.4.3, "Implementing DSfW on Your Network,” on page 210 


206 X eDirectory, LDAP, and Domain Services for Windows 


144.1 Graphical Overview of DSfW 


* "File Access" on page 207 
* "User Management" on page 208 
« "Storage Management” on page 209 


File Access 
Figure 14-2 DSfW File Access Overview 
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Table 14-1 DSfW File Access 


Access Methods Authentication 


eDirectory and Active Directory users on For eDirectory users, file service 
Windows workstations can access files access is controlled by 
through Windows Explorer (CIFS) or authentication through the 


Internet Explorer (WebDAV Web eDirectory server using common 
Folders). No Novell Client is needed on Windows authentication 
the machine. protocols, including Kerberos, 


: . NTLM, and SSL/TLS. 
Unlike Windows workgroup or Novell 


Samba, the user doesn't need to havea For AD users, file service access 
matching username and password on is controlled by authentication 
the local workstation. through the AD server. 


Although not shown, Novell Client users 
can also access files through a normal 
NCP connection. 


User Management 


Figure 14-3 DSfW User Management Overview 
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Table 14-2 DSfW User Management 


Management Tools Users 
iManager manages DSfW users like other DSfW users must have the Default Domain Password policy 
eDirectory users. assigned and a valid Universal Password. 


MMC manages both AD users and DSfW users DSfW users are automatically enabled for Samba and LUM. 
as though they were AD users. 


Storage Management 


Figure 14-4 DSfW Storage Management Overview 
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Table 14-3 DSfW Storage Management 


Management Tools Storage 


Network administrators use native OES and Storage devices on OES servers can be either NSS or 
Windows storage management tools to create traditional Linux volumes. Samba management standards 
and manage storage devices on OES and apply to both volume types. 

Windows servers, respectively. 


Windows management tools can also manage 
share access rights and POSIX file system 
rights on DSfW storage devices after the 
shares are created. They cannot create the 
shares or perform other device management 
tasks. 
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14.4.2 


14.4.3 


Planning Your DSfW Implementation 


For planning information, see the OES 11 SP3: Domain Services for Windows Administration Guide. 


Implementing DSfW on Your Network 


This section highlights some of the potential caveats to consider when installing DSfW. For complete 
information, see the OES 11 SP3: Domain Services for Windows Administration Guide, especially the 
"Troubleshooting DSfW" section. 

¢ "Implement Universal Password Before DSfW in a Name-Mapped Scenario" on page 210 

+ "DSfW Must Be Installed at the Root of an eDirectory Partition" on page 210 

* "Hierarchical Placement of Users in the eDirectory Tree" on page 210 

¢ “OES 11 Service Limitations" on page 210 

+ “Install DSfW on a New OES 11 Server When Possible" on page 210 

* "DNS Configuration" on page 211 


Implement Universal Password Before DSfW in a Name-Mapped 
Scenario 


If you install DSfW into an existing tree and your users don't currently have a Universal Password 
policy assigned, they won't be able to log in without the Novell Client until the Universal Password 
has been set. 


Therefore, you should consider implementing Universal Password and giving users an opportunity to 
log into the network before installing DSfW. Logging in after a password policy is in place creates a 
Universal Password for users so that their transition to DSfW is seamless. 

DSfW Must Be Installed at the Root of an eDirectory Partition 

You must install DSfW in the root container or an eDirectory partition, either one that currently exists 
or one that you create for DSfW. 


Hierarchical Placement of Users in the eDirectory Tree 


DSfW users must reside in the same eDirectory partition where DSfW is installed, either in the same 
container or in a container below it in the hierarchy. Therefore, DSfW should be installed high enough 
in the eDirectory tree that it encompasses all of the users that you want to enable for DSfW access. 


OES 11 Service Limitations 


Only designated OES 11 services can be installed on a DSfW server. For more information, see 
"Unsupported Service Combinations" in the OES 11 SP3: Domain Services for Windows 
Administration Guide. 


Install DSfW on a New OES 11 Server When Possible 


Because of the service limitations mentioned in OES 11 Service Limitations, Novell strongly 
recommends that you install DSfW on a new server. 
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DNS Configuration 


As you set up DNS, observe the following guidelines: 


* First DSfW Server (FRD): This should point to itself as the primary DNS server, and to the 
network DNS server as the secondary DNS server (if applicable). 


* Subsequent DSfW Servers: These must point to the FRD as their primary DNS server and 
optionally to the network DNS server as their secondary DNS server. 


* DSfW Workstations: These must be able to resolve the FRD of the DSfW forest. For example, 
you might configure workstations to point to the FRD as their primary DNS server and to the 
network DNS server secondarily. Or if the network DNS server is configured to forward requests 
to the DSfW server, then workstations could point to it as their primary DNS server. 
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15.1 


15.2 


Users and Groups 


Networks exist to serve users and groups of users. Open Enterprise Server 11 SP3 provides strong 
user and group management through eDirectory and its associated technologies. 

* Section 15.1, “Creating Users and Groups,” on page 213 

* Section 15.2, “Linux User Management: Access to Linux for eDirectory Users," on page 213 

* Section 15.3, "Identity Management Services," on page 222 

¢ Section 15.4, "Using the Identity Manager 4.5 Bundle Edition," on page 222 


Creating Users and Groups 


All OES services require that you create User objects to represent the users on your system. The 
Linux User Management (LUM) and Samba components on OES also require that you create a LUM- 
enabled Group object that you can assign the users to. 


In addition to these basic objects, it is usually helpful to organize your tree structure by using 
Organizational Unit objects to represent the structure of your organization and to serve as container 
objects to help manage the users, groups, servers, printers, and other organization resources you 
can manage through eDirectory. 


The OES 11: Getting Started Guide provides introductory exercises for creating container objects as 
well as Group and User objects in eDirectory. 


For more information about Samba, see Creating eDirectory Users for Samba in the OES 11 SP3: 
Novell Samba Administration Guide. 


For detailed information on understanding, creating, and managing the various objects your 
organization might require, see the NetIQ eDirectory 8.8 SP8 Administration Guide. 


Linux User Management: Access to Linux for 
eDirectory Users 


Users and groups on NetWare servers are created in and managed through eDirectory; users and 
groups on Linux servers are usually created locally and managed according to the POSIX (Portable 
Operating System Interface) standard. 


Because Open Enterprise Server provides services running on both Linux and NetWare, Novell has 
developed a technology that lets eDirectory users also function as "local" POSIX users on Linux 
servers. This technology is called Linux User Management or LUM. 


The following sections outline the basic principles involved in Novell LUM and cover the following 
topics: 

¢ Section 15.2.1, “Overview,” on page 214 

¢ Section 15.2.2, “LUM Changes,” on page 219 

¢ Section 15.2.3, "Planning," on page 219 

¢ Section 15.2.4, “LUM Implementation Suggestions,” on page 219 
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15.2.1 


Overview 


The topics in this section are designed to help you understand when LUM-enabled access is required 
so that your network services are accessible and work as expected. For more information about Linux 
User Management, see "Overview" in the OES 11 SP3: Novell Linux User Management 
Administration Guide. 


* 


* 


* 


"A Graphical Preview of Linux User Management" on page 214 
"Linux Requires POSIX Users" on page 215 

"Linux Users Can Be Local or Remote" on page 215 

"The root User Is Never LUM-Enabled" on page 215 

"About Service Access on OES" on page 216 

"OES Services That Require LUM-Enabled Access" on page 216 


"OES Services That Do Not Require LUM-Enabled Access But Have Some LUM Requirements" 
on page 217 


"OES Services That Do Not Require LUM-enabled Access" on page 218 
"LUM-Enabling Does Not Provide Global Access to ALL OES Servers" on page 218 
"LUM-Enabling Required for Full Administrative Access" on page 218 


A Graphical Preview of Linux User Management 


Figure 15-1 illustrates how Linux User Management controls access to the OES server. 


Figure 15-1 LUM Provides POSIX Access for eDirectory Users 
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The following table explains the information presented in Figure 15-1. 
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Table 15-1 Linux User Management 


Valid POSIX Users Authentication eDirectory Authenticated 
Services 
Some services on OES servers When the system receives an Users can potentially access PAM- 


must be accessed by POSIX users. action request, it can authenticate enabled services, Samba shares, 
both local POSIX users and users and Novell Remote Manager as 
who have been enabled for Linux either local or eDirectory users. 


eDirectory users can function as access. 
POSIX users if they are enabled for By default, only the sfcb command 
Linux access (LUM). (required for server management) 


is enabled for eDirectory access. 


Linux Requires POSIX Users 


Linux requires that all users be defined by standard POSIX attributes, such as username, user ID 
(UID), primary group ID (GID), password, and other similar attributes. 


Linux Users Can Be Local or Remote 


Users that access a Linux server can be created in two ways: 


* Locally (on the server): Local users are managed at a command prompt (using commands 
such as useradd) or in YaST. (See the useradd(8) man page and the YaST online help for more 
information.) These local users are stored in the /etc/passwd file. (See the passwd(5) man 
page for more information.) 


IMPORTANT: As a general rule on OES servers, the only local user account that should exist is 
root. All other user accounts should be created in eDirectory and then be enabled for Linux 
access (LUM). You should never create duplicate local and eDirectory user accounts. 


For more information, see Section 6.2, "Avoiding POSIX and eDirectory Duplications," on 
page 114. 


* Remotely (off the server): Remote users can be managed by other systems, such as LDAP- 
compliant directory services. Remote user access is enabled through the Pluggable 
Authentication Module (PAM) architecture on Linux. 


The Linux POSIX-compliant interfaces can authenticate both kinds of users, independent of where 
they are stored and how they are managed. 


The root User Is Never LUM-Enabled 


The OES user management tools prevent you from creating an eDirectory user named root, thus 
replacing the root user on an OES server. If root were to be a LUM user and eDirectory became 
unavailable for some reason, there would be no root access to the system. 


Even if eDirectory is not available, you can still log into the server through Novell Remote Manager 
and perform other system management tasks as the root user. 
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About Service Access on OES 


Novell Linux User Management (LUM) lets you use eDirectory to centrally manage remote users for 
access to one or more OES servers. 


In other words, LUM lets eDirectory users function as local (POSIX) users on an OES server. Access 
is enabled by leveraging the Linux Pluggable Authentication Module (PAM) architecture. PAM makes 
it possible for eDirectory users to authenticate with the OES server through LDAP. 


In OES, the terms LUM-enabling and Linux-enabling are both used to describe the process that adds 
standard Linux (POSIX) attributes and values to eDirectory users and groups, thus enabling them to 
function as POSIX users and groups on the server. 


You can use iManager to enable eDirectory users for Linux. For instructions, see “About Enabling 
eDirectory Users for Linux Access” on page 220. 


OES Services That Require LUM-Enabled Access 


Some services on an OES server require that eDirectory users be LUM-enabled to use them: 


* Novell Samba (CIFS) Shares on the Server: Windows workgroup users who need access to 
Samba shares defined on the server must be LUM-enabled eDirectory users who are configured 
to access the server. This is because Samba requires POSIX identification for access. 


By extension, NetStorage users who need access to Samba (CIFS) Storage Location objects 
that point to the server must also be LUM-enabled eDirectory users with access to the server. 


NOTE: Although Samba users must be enabled for LUM, Samba is not a PAM-enabled service. 
Logging in to an OES server through Samba does not create a home directory on the server. 


* Core Linux Utilities Enabled for LUM: These are the core utilities and other shell commands 
that you can specify during the OES install to be enabled for authentication through eDirectory 
LDAP. In Linux, these are known as PAM-enabled utilities or services. 


IMPORTANT: Before you accept the default PAM-enabled service settings, be sure you 
understand the security implications explained in Section 22.2.2, “User Restrictions: Some OES 
Limitations,” on page 293. 


The core utilities available for PAM-enablement are summarized in Table 15-2. 


Table 15-2 PAM-enabled Services Controlled by LUM 


Command Where Executed Task 


ftp Another host Transfer files to and from the OES server which, in 
this case, is a remote host. 


gdm * Local host Run and manage the X servers using XDMCP. 


* Remote host 


gnomesu-pam Local host Required for GNOME applications that need 
superuser access. 


login * OES server Log in to the OES server, either directly or in an SSH 


, : session with the server. 
* SSH session with OES 


Server 
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Command Where Executed Task 


sfcb Local host Required for iPrint, NSS, SMS, Novell Remote 
Manager, and iManager. 


sshd Another host Establish a secure encrypted connection with the 
OES server which, in this case, is a remote host. 


su * OES server Temporarily become another user. 
* SSH session with OES This is most often used to temporarily become the 
server root user, who is not a LUM user and is, therefore, 


not affected by LUM. 


NOTE: Logging in to the OES server through a PAM-enabled service for the first time causes the 
creation of a home directory in /home on the server. 


* Novell Remote Manager on Linux: You can access Novell Remote Manager as the following: 
* The root user with rights to see everything on the Linux server. 


* Alocal Linux user with access governed by POSIX access rights. (Having local users in 
addition to root is not recommended on OES servers.) 


* ALUM-enabled eDirectory user, such as the Admin user created during the install. 
* Novell Storage Management Services (SMS) on Linux: You can access SMS utilities as 


* The root user, who has rights to see everything on the Linux server, including NSS 
volumes. 


* Alocal Linux user with access governed by POSIX access rights. (Having local users in 
addition to root is not recommended on OES servers.) 


* ALUM-enabled eDirectory user, such as the Admin user created during the install. 


OES Services That Do Not Require LUM-Enabled Access But Have 
Some LUM Requirements 
Some services do not require eDirectory users to be LUM-enabled for service access: 


* NetStorage: NetStorage users don't generally need to be LUM-enabled. However, salvaging 
and purging files through NetStorage on an NSS volume can only be done by users who are 
enabled for Linux. 


IMPORTANT: Files that are uploaded by non-LUM users via NetStorage are owned, from a 
POSIX perspective, by the root user. The assumption is that such users are accessing their 
data on NSS or NCP volumes by using an NCP storage location object. In both cases, the Novell 
Trustee Model applies and POSIX ownership is irrelevant. 


If non-LUM NetStorage users are later enabled for Samba access (which means they are then 
LUM-enabled), and they begin using Samba as a file service, their NetStorage uploaded files are 
not accessible through Samba until you make them the file owners from a POSIX perspective. 
Although the Novell implementation of Samba leverages eDirectory for authentication, Samba 
file and directory access is always controlled by POSIX. The Novell Trustee Model doesn't apply 
to Samba. 


Both Novell trustee assignments and POSIX file ownership are tracked correctly after users are 
LUM-enabled. 
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Although NetStorage doesn’t require LUM-enabled access, the service itself runs as a POSIX- 
compliant system (proxy) User (initially a local user on the OES server) who functions on behalf 
of the end users that are accessing the service. 


If NetStorage must access NSS volumes, this local system user must be moved to eDirectory 
and LUM-enabled because only eDirectory users can access NSS volumes. The OES 11 SP3 
installation program configures this correctly by default. 


For more information, see Appendix H, “System User and Group Management in OES 11 SP3,” 
on page 331. 


* NSS: eDirectory users that access NSS volumes directly through NCP (the Novell Client) are not 
required to be LUM-enabled. 


However, because Novell Samba accesses NSS through the virtual file system layer that makes 
NSS appear to be a POSIX-compliant file system, Samba users must be LUM-enabled to 
access an NSS volume. 


OES Services That Do Not Require LUM-enabled Access 


The following end user services do not require LUM-enabled access: 


* iFolder 3.9.2 

¢ iPrint 

* NCP Client to an NCP Volume 
* NCP Client to an NSS Volume 
* Novell AFP 

* Novell CIFS 

* QuickFinder 


LUM-Enabling Does Not Provide Global Access to ALL OES Servers 


As you plan to LUM-enable users for access to the services that require it, keep in mind that each 
OES server being accessed must be associated with a LUM-enabled group that the accessing users 
belong to. 


In other words, it is not sufficient to LUM-enable users for access to a single OES server if they need 
access to multiple servers. An association between the LUM-enabled groups that the users belong to 
and the eDirectory UNIX Workstation object associated with each server must be formed by using 
iManager. This can be accomplished for multiple servers by using the process described in "Enabling 
eDirectory Groups and Users for Linux Access" on page 220. 


For more information on LUM, see the OES 11 SP3: Novell Linux User Management Administration 
Guide. 


LUM-Enabling Required for Full Administrative Access 


The current LUM architecture requires that administrators, administrator equivalents, partition 
administrators, and RBS-enabled managers be LUM-enabled to have full management capabilities. 
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15.2.2 


15.2.3 


15.2.4 


LUM Changes 


In response to customer requests for improved LDAP performance, persistent searching for new 
Linux-enabled users and groups has been disabled in OES 2 SP3 and later. 


For more information, see Section 6.10, “LUM Cache Refresh No Longer Persistent,” on page 121 
and "What's New or Changed in Linux User Management” in the OES 11 SP3: Novell Linux User 
Management Administration Guide. 


Planning 


The following sections summarize LUM planning considerations. 


+ “eDirectory Admin User Is Automatically Enabled for Linux Access" on page 219 
+ "Planning Which Users to Enable for Access" on page 219 
¢ “Be Aware of System-Created Users and Groups" on page 219 


eDirectory Admin User Is Automatically Enabled for Linux Access 


When you install Linux User Management on an OES server, the Admin User object that installs LUM 
is automatically enabled for eDirectory LDAP authentication to the server. 


Planning Which Users to Enable for Access 


You need to identify the eDirectory users (and groups) who need access to services on OES servers 
that require LUM-enabled users. 


This can be easily determined by doing the following: 


1. Review the information in "DES Services That Require LUM-Enabled Access" on page 216. 
2. Identify the servers that will run the services mentioned. 


3. Note the users and groups that need access and then configure their objects and the target 
servers/services for that access. 


Be Aware of System-Created Users and Groups 


You should also be aware of the system-created users and groups that are LUM-enabled when NSS 
is installed. For more information, see Appendix H, "System User and Group Management in OES 11 
SP3,” on page 331. 


LUM Implementation Suggestions 


The following sections summarize LUM implementation considerations. 


+ "About Enabling eDirectory Users for Linux Access" on page 220 
+ “UNIX Workstation" and "Linux Workstation" Are the Same Thing" on page 220 


* "Enabling eDirectory Groups and Users for Linux Access" on page 220 
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About Enabling eDirectory Users for Linux Access 


You can enable eDirectory users for Linux User Management by using either iManager 2.7 or the 
nambulkadd command. 


* iManager: You can enable existing eDirectory users for Linux access by using the Linux User 
Management tasks in iManager. 


You can enable multiple users in the same operation as long as they can be assigned to the 
same primary LUM-enabled group. The enabling process also lets you associate the group with 
one or more OES servers or Linux workstations. 


Samba users are also enabled for Linux access as part of the Samba-enabling process. 


¢ nambulkadd: If you have eDirectory users and groups that need to be enabled for Linux access, 
you can use the nambulkadd command to modify multiple objects simultaneously. For more 
information, see the OES 11 SP3: Novell Linux User Management Administration Guide. 


“UNIX Workstation” and “Linux Workstation” Are the Same Thing 


When you use iManager to manage OES access, you might notice some inconsistencies in naming. 


When OES servers are created, a "UNIX Workstation - server name" object is created in eDirectory, 
where server name is the DNS name of the OES server. In some places the iManager help refers to 
these server objects as "Linux Workstation" objects. 


Both "UNIX Workstation" and "Linux Workstation" refer to the same eDirectory objects. 


Enabling eDirectory Groups and Users for Linux Access 


IMPORTANT: Users gain server access through their LUM-enabled group assignment rather than 
through a direct assignment to the UNIX Workstation objects themselves. 


You can enable users for access to multiple OES servers by associating the LUM-enabled groups to 
which the users belong with the UNIX Workstation objects you want users to have access to. 


There are four methods for enabling eDirectory groups and users for Linux access: 


* "Using iManager to Enable Groups and any Users Assigned to Them" on page 220 
* "Using iManager to Bulk-Enable Users in a LUM Group" on page 221 
* "Using iManager to Bulk-Enable Users in a Container" on page 221 


* "Using LUM Utilities at the Command Prompt" on page 221 


Using iManager to Enable Groups and any Users Assigned to Them 


The following steps assume that the eDirectory Group objects already exist and that any User objects 
you want to enable for Linux at the same time also exist and have been assigned to the groups. 

1 Log in to iManager as the eDirectory Admin user or equivalent. 

2 Click Linux User Management » Enable Groups for Linux. 

3 Browse to and select one or more Group objects, then click OK. 


4 If you want all users assigned to the groups to be enabled for Linux, make sure the Linux-Enable 
All Users in These Groups option is selected. 
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5 Click Next. 


6 
7 
8 
9 


If the groups contain users, click Next to confirm that you want them enabled. 
Browse to and select a UNIX Workstation (OES server) object, then click OK. 
Browse to and select the Unix Config Object for the workstation, then click OK. 
Click Next, click Finish, then click OK. 


Using iManager to Bulk-Enable Users in a LUM Group 


The following steps assume that the eDirectory LUM-enabled Group objects already exist and that 
they have assigned non-LUM-enabled User objects that you want to enable for Linux access. 
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Log in to iManager as the eDirectory Admin user or equivalent. 

Click Linux User Management > Bulk-Enable Users in a LUM Group. 

Browse to and select one or more LUM-enabled Group objects, then click OK. 
Browse to and select the Unix Config Object, then click OK. 

Click Next. 

Click Finish to confirm that you want the listed users enabled for Linux. 

Click OK. 


Using iManager to Bulk-Enable Users in a Container 


The following steps assume that eDirectory non-LUM-enabled User objects exist inside an eDirectory 
container (OU object) and that you want to enable these User objects for Linux access. 
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Log in to iManager as the eDirectory Admin user or equivalent. 
Click Linux User Management » Bulk-Enable Users in a Container. 
Browse to and select the Container (OU) object, then click OK. 
Browse to and select the Unix Config Object, then click OK. 


Browse to and select the LUM-enabled group that you want the users associated with for Linux 
access. 


Click Next. 


7 Observe that all user objects in the container are listed for assignment to the group you have 


9 


selected as the primary group. If you don't want already enabled user objects that are currently 
assigned to a different primary group to have that assignment changed, you must deselect them 
at this point. 


Click Finish to confirm that you want the selected users enabled for Linux (if not already) and 
assigned to the select group. 


Click OK. 


Using LUM Utilities at the Command Prompt 


Novell Linux User Management includes utilities for creating new LUM-enabled groups, and for 
enabling existing eDirectory groups for Linux access. 


* 


The nambulkadd utility lets you use a text editor to create a list of groups you want enabled for 
Linux access. For more information, see “nambulkadd” in the OES 11 SP3: Novell Linux User 
Management Administration Guide. 
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15.3 


15.4 


IMPORTANT: Be sure to include a blank line at the end of each text file. Otherwise, the last line 
of the file won't be processed properly. 


* The namgroupadd utility lets you create a new LUM-enabled group or enable an existing 
eDirectory group for Linux access. For more information, see “namgroupadd” in the OES 11 
SP3: Novell Linux User Management Administration Guide. 


Identity Management Services 


Providing network users with a network identity is a fundamental expectation for networking, but it can 
also become confusing when users need to track multiple identities to use network services. When 
you add the traditional POSIX users found on Linux systems to the mix, the picture becomes even 
more complex. 


The identity management services provided by Novell Open Enterprise Server (OES) leverage NetlQ 
eDirectory to simplify and customize identity management to fit your needs: 


* |f you currently store and manage all your users and groups in eDirectory, you can continue to do 
so. 


* |f you use Novell Client software to provide network file and print services, you can provide 
seamless file and print access to OES servers by using the NCP server for Linux and iPrint 
services. For more information, see Section 18.6, "NCP Implementation and Maintenance," on 
page 272 and Chapter 19, "Print Services," on page 279. 


* |f you want eDirectory users to have access to OES services that require POSIX authentication, 
you can enable the users for Linux access. For more information, see Section 15.2, "Linux User 
Management: Access to Linux for eDirectory Users," on page 213. 


* |f you need to store and manage users in multiple directories, you can greatly strengthen your 
organization's security and dramatically decrease your identity management costs by deploying 
NetIQ Identity Manager. For more information, see Section 15.4, "Using the Identity Manager 4.5 
Bundle Edition," on page 222. 


Using the Identity Manager 4.5 Bundle Edition 


NetIQ Identity Manager is a data-sharing solution that leverages the Identity Vault to synchronize, 
transform, and distribute information across applications, databases, and directories. 


The Identity Manager Bundle Edition provides licensed synchronization of information (including 
passwords) held in Active Directory Domains and eDirectory systems. When data from one system 
changes, Identity Manager detects and propagates these changes to other connected systems based 
on the business policies you define. 


This section discusses the following: 


¢ Section 15.4.1, "What Am | Entitled to Use?,” on page 223 
¢ Section 15.4.2, "System Requirements," on page 223 

¢ Section 15.4.3, "Installation Considerations," on page 223 

¢ Section 15.4.4, "Getting Started," on page 223 

¢ Section 15.4.5, "Activating the Bundle Edition," on page 224 
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15.4.2 


15.4.3 


15.4.4 


What Am I Entitled to Use? 


The Bundle Edition allows you to use the Identity Manager engine and the following Identity Manager 
drivers: 


* Legacy Identity Manager Driver for eDirectory (eDir2eDir) 


IMPORTANT: The Bi-directional eDirectory driver is not included in the Bundle Edition 
entitlement. 


¢ Identity Manager Driver for Active Directory 


Other Identity Manager Integration Modules (drivers) are included in the software distribution. You 
can install and use these additional Integration Modules for 90 days, at which time you must purchase 
Identity Manager and the Integration Modules you want to use. 


The User Application and the service drivers (Loopback, Manual Task, and Entitlements) are not 
included as part of the license agreement for the Bundle Edition. In order to use these Identity 
Manager components, you must purchase /dentity Manager. 


System Requirements 


For the latest Identity Manager system requirements, see the Net/Q Identity Manager Integrated 
Installation Guide. 


The Bundle Edition does not include Solaris or AIX support. To run the Identity Manager engine or 
Integration Modules on these platforms, you must purchase Identity Manager. 


Installation Considerations 


NetIQ Identity Manager Bundle Edition contains components that can be installed within your 
environment on multiple systems and platforms. Depending on your system configuration, you might 
need to run the installation program several times to install Identity Manager components on the 
appropriate systems. 


In order for the product to be activated, you must install Open Enterprise Server before installing the 
Identity Manager Bundle Edition. For more information on Activation issues, see "Activating the 
Bundle Edition" on page 224. 


NOTE: To install IDM 4.5 Bundle Edition, download the IDM 4.5 Standard Edition and use the IDM 4.5 
Bundle Edition activation keys. 


Getting Started 


The following sections from the Identity Manager 4.5 documentation will help you plan, install, and 
configure your Identity Manager 4.5 Bundle Edition. 

* Overview 

¢ Planning 

* Installing Identity Manager 

* Installing Active Directory and eDirectory Drivers 

¢ Password Synchronization across Connected Systems 
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See Policy Builder and Driver Customization Guide for information about customizing your Identity 
Manager implementation. 


Activating the Bundle Edition 


If you choose to purchase additional Identity Manager Integration Modules, you need to install the 
activation credential for those Integration Modules and also the credential for Identity Manager. See 
Activating Identity Manager Products Using a Credential for more information on activating other 
Identity Manager products. 


In order to use the Bundle Edition, you must obtain and install an activation credential. Use the 
following instructions to complete the Bundle Edition activation tasks: 
1 Browse to the Identity Manager Bundle Edition Registration Web site. 
2 Enter your OES activation code, then click Submit. 
3 Do one of the following: 
* Save the Product Activation Credential file. 
or 


* Open the Product Activation Credential file, then copy the contents of the Product Activation 
Credential to your clipboard. Carefully copy the contents, and make sure that no extra lines 
or spaces are included. You should begin copying from the first dash (-) of the credential (-- 
--BEGIN PRODUCT ACTIVATION CREDENTIAL) through the last dash (-) of the credential 
(END PRODUCT ACTIVATION CREDENTIAL-----). 


4 Open iManager, then choose Identity Manager > Identity Manager Overview and select the 
driver set or browse to a driver set, then click Next. 


5 On the Identity Manager Overview page, locate the driver set, click the red Activation required 
by link, then click Install Activation. 


6 Select the driver set where you want to activate an Identity Manager component. 
7 Do one of the following: 
* Specify where you saved the Identity Manager Activation Credential, then click Next. 
Or 


* Paste the contents of the Identity Manager Activation Credential into the text area, then click 
Next. 


8 Click Finish. 


Frequently Asked Questions about Activation 


Do I need to Install Identity Manager on a specific server? 


Yes. As a Bundle Edition user, you must install Identity Manager on the server where you installed 
Open Enterprise Server. In order for activation to work properly, you must install Identity Manager on 
OES, and create a driver set on the server. 


l installed the Bundle Edition but it's not activated. Why? 


You must install the Bundle Edition on the server where OES exists. If you install it on a non-OES 
server, the Bundle Edition cannot activate. 
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Can I run Identity Manager on a Windows Server? 


Not with the Bundle Edition. However, you can still synchronize data held on a Windows server by 
using the Identity Manager Remote Loader service. The Remote Loader enables synchronization 

between the Identity Manager Engine (on your OES server) and a remote driver (on the Windows 
server.) 


In order to run Identity Manager on a Windows server, you need to purchase /dentity Manager. 


Can I run Identity Manager on a Solaris or AIX Server? 


Not with the Bundle Edition. However, you can still synchronize data held on these platforms by using 
the Identity Manager Remote Loader service. The Remote Loader enables synchronization between 
the Identity Engine and a remote driver (on the Solaris or AIX server.) 


In order to run Identity Manager on Solaris or AIX, you need to purchase /dentity Manager. 


My drivers stopped working. What happened? 


You might have installed the Bundle Edition on a non-OES server. The Bundle Edition must be 
installed on your OES server where OES exists. If Identity Manager is installed on a non-OES 
platform, activation cannot work. After 90 days, your drivers stop running. 


| purchased an additional Integration Module. Why doesn't it work? 


With your OES purchase, you are entitled to use the Bundle Edition products. If you want to add new 
Integration Modules, you also need to purchase /dentity Manager. The Integration Module cannot 
activate until you purchase Identity Manager. 


If | purchase licenses for NetIQ Identity Manager and an additional Integration 
Module, must I re-install? 


No, you just need to install the activation credentials associated with your purchase. 


How do I know what's activated? 


For information about how to view currently activated products, see Viewing Product Activations for 
Identity Manager and for Drivers. 


Users and Groups 225 


226 | Users and Groups 


16.1 


16.1.1 


Access Control and Authentication 


Access Control and Authentication are the keys to: 


* Providing services for users. 


* Ensuring that the network is secure. 
This section discusses the following: 


¢ Section 16.1, “Controlling Access to Services," on page 227 
¢ Section 16.2, "Authentication Services," on page 238 


Controlling Access to Services 


OES supports a number of options for service access, including: 


* Web browsers. 

* File managers and applications on Linux, Macintosh, and Windows workstations. 

* Novell Client software. 

* Personal digital assistants (PDAs) and other electronic devices that are enabled for Web access. 


You control which of these options can be used through the services you offer and the ways you 
configure those services. 


This section can help you understand access control at a high level so that you can plan, implement, 
and control access to services. More detail about the items discussed is contained in individual 
service guides. 


The topics that follow are: 


¢ Section 16.1.1, “Overview of Access Control," on page 227 

¢ Section 16.1.2, "Planning for Service Access,” on page 233 

¢ Section 16.1.3, “Coexistence and Migration of Access Services,” on page 236 
¢ Section 16.1.4, "Access Implementation Suggestions," on page 236 


¢ Section 16.1.5, "Configuring and Administering Access to Services,” on page 236 


Overview of Access Control 


The following sections present overviews of methods for accessing Open Enterprise Server 11 SP3 
services. 


* "Access to OES 11 SP3 Services" on page 228 

* "Access Control Options in OES" on page 229 

* "The Traditional Novell Access Control Model" on page 230 
* "NSS Access Control on OES" on page 231 
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* "Novell Client (NCP File Services) Access" on page 232 
+ “eDirectory User Access to OES Servers" on page 233 


Access to OES 11 SP3 Services 


Figure 16-1 illustrates the access methods supported by OES 11 SP3 services. NetIQ eDirectory 
provides authentication to each service. 


Figure 16-1 Access Interfaces and the Services They Can Access 
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The interfaces available for each service are largely determined by the protocols supported by the 
service. 
* Browsers and personal digital assistants require support for the HTTP protocol. 


* Each workstation type has file access protocols associated with it. Linux uses NFS as its native 
protocol for file services access, Macintosh workstations communicate using AFP or CIFS, and 
Windows workstations use the CIFS protocol for file services. 


* Novell Client software for both Windows and Linux uses the NetWare Core Protocol (NCP) to 
provide the file services for which Novell is well known. 
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Understanding the protocol support for OES services can help you begin to plan your OES 
implementation. For more information, see “Matching Protocols and Services to Check Access 


Requirements” on page 235. 


Access Control Options in OES 


Because OES offers both traditional Novell access control and POSIX access control, you have a 
variety of approaches available to you, including combining the two models to serve various aspects 


of your network services. 


Table 16-1 provides links to documentation that discusses OES access control features. 


Table 16-1 General File System Access Control 


Feature 


Access Control Lists (ACLs) on 
Linux 


To Understand 


How ACLs are supported on the 
most commonly used Linux POSIX 
file systems, and how they let you 
assign file and directory 
permissions to users and groups 
who do not own the files or 
directories. 


See 


"Access Control Lists in Linux" 
(http://www.suse.com/ 
documentation/sles11/ 

book security/data/cha acls.html) 
inthe SLES 11 SP4: Security Guide 
(http://www.suse.com/ 
documentation/sles11/index.html) 


Aligning NCP and POSIX access 
rights 


How to approximate the Novell 
access control model on POSIX file 
systems. 


“Section 18.4, “Aligning NCP and 
POSIX File Access Rights,” on 
page 260” 


Directory and file attributes 


Directory and file attributes on NSS 
volumes. 


“Understanding Directory and File 
Attributes for NSS Volumes” in the 
OES 11 SP3: File Systems 
Management Guide 


File system trustee rights 


File system trustee rights on 
NetWare (NSS and traditional 
volumes), including how file system 
trustee rights work. 


“Understanding the Novell Trustee 
Model for File System Access” in 
the OES 11 SP3: File Systems 
Management Guide 


Novell trustee rights and directory 
and file attributes 


POSIX file system rights and 
attributes on Linux 


How to control who can see which 
files and what they can do with 
them. 


How to configure file system 
attributes on OES 11 SP3 servers. 


“Understanding File System Access 
Control Using Trustees” in the OES 
11 SP3: File Systems Management 
Guide 


“Access Control Lists in Linux” 
(http://www.suse.com/ 
documentation/sles11/ 
book_security/data/cha_acls.html) 
in the SLES 11 SP4: Security Guide 
(http://www.suse.com/ 
documentation/sles11/index.html) 


Security Equivalence in eDirectory 


The concept of Security 
Equivalence in eDirectory. 
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“Security Equivalence” in the OES 
11 SP3: File Systems Management 
Guide 
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The Traditional Novell Access Control Model 


NetWare is known for its rich access control. OES makes these controls available on Linux through 
NSS volume support. In addition, some of the controls are available on Linux POSIX file systems 
through NCP volume creation. NCP volume access controls are not equivalent to NSS because they 
are constrained by Linux POSIX access controls, which offer only a subset of the directory and file 
attributes that NSS offers. 


In the Novell access control model, eDirectory objects, such as users and groups, are assigned File 
System Trustee Rights to directories and files on NSS and NCP volumes. These trustee rights 
determine what the user or group can do with a directory or file, provided that the directory or file 
attributes allow the action. 


This is illustrated in Figure 16-2. 


Figure 16-2 Directory and File Access under the NetWare Access Control Model 
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Table 16-2 explains the effective access rights illustrated in Figure 16-2. 
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Table 16-2 Access Rights Explanation 


eDirectory File System Trustee 
Objects Rights 

eDirectory File system trustee 
objects (in rights govern access 
most cases and usage by the 
users and eDirectory object 


groups) gain 
access to the 


specified for the 
directory or file to which 


file system the rights are granted. 
through 
eDirectory. Trustee rights are 


overridden by directory 
and file attributes. 


For example, even 
though Nancy has the 
Supervisor (all) trustee 
right at the directory 
(and, therefore, to the 
files it contains), she 
cannot delete File2 
because it has the 
Read Only attribute set. 


Of course, because she 
has the Supervisor 
right, Nancy could 
modify the file attributes 
so that File2 could then 
be deleted. 


Directory and File 
Attributes 


Each directory and file 
has attributes 
associated with it. 
These attributes apply 
universally to all 
trustees regardless of 
the trustee rights an 
object might have. 


For example, a file that 
has the Read Only 
attribute is Read Only 
for all users. 


Attributes can be set 
by any trustee that has 
the Modify trustee right 
to the directory or file. 


NSS Access Control on OES 


Directories and Files 


The possible actions by the eDirectory users 
and group shown in this example are as 
follows: 


* Nancy has the Supervisor trustee right 


at the directory level, meaning that she 
can perform any action not blocked by a 
directory or file attribute. 


The Di (Delete Inhibit) and Ri (Rename 
Inhibit) Attributes on Directory A 
prevent Nancy from deleting or 
renaming the directory unless she 
modifies the attributes first. The same 
principle applies to her ability to modify 
File2. 


* Because Joe is a member of the 


Reporters group, he can view file and 
directory names inside DirectoryA and 
also see the directory structure up to 
the root directory. 


Joe also has rights to open and read 
any files in DirectoryA and to execute 
any applications in DirectoryA. 


Because Bert is a member of the 
Reporters group, he can view file and 
directory names inside DirectoryA and 
also see the directory structure up to 
the root directory. 


Bert also has rights to open and read 
File1 and to execute it if it's an 
application. 


And Bert has rights to grant any 
eDirectory user access to File1. 


Because all three users are members of 
the Reporters group, they can grant any 
eDirectory user access to File2. 


Of course, for Nancy this is redundant 
because she has the Supervisor right at 
the directory level. 


Table 16-3 provides links to documentation that discusses the various NSS-specific access control 


features. 
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Table 16-3 Summary of NSS Access Control Documentation Links 


Feature To Understand See 

Independent Mode vs. NetWare The difference between "Access Control for NSS on Linux" 

Mode Independent Mode access and in the OES 11 SP3: File Systems 
NetWare Mode access. Management Guide 


This applies only to OES servers, 
not NetWare. 


POSIX directory and file attributes | How NSS file attributes are "Viewing Key NSS Directory and 
on NSS volumes on OES reflected in Linux directory and file File Attributes as Linux POSIX 

f . uen permissions viewable through Permissions" in the OES 11 SP3: 
This describes what is displayed. — posix, File Systems Management Guide 


POSIX permissions are not actually 
used for access control to NSS 
volumes. 


Novell Client (NCP File Services) Access 


If you have not already determined whether to use the Novell Client on your network, we recommend 
that you consider the following information: 


* “About the Novell Client" on page 232 
+ “Is the Novell Client Right for Your Network?" on page 232 
+ "Differences between Linux and Windows" on page 233 


About the Novell Client 


The Novell Client extends the capabilities of Windows and Linux desktops with access to NetWare 
and OES servers. 


After installing Novell Client software, users can enjoy the full range of Novell services, such as 


* Authentication via NetIQ eDirectory 

* Network browsing and service resolution 
* Secure and reliable file system access 

¢ Support for industry-standard protocols 


The Novell Client supports the traditional Novell protocols (NDAP, NCP, and RSA) and interoperates 
with open protocols (LDAP, CIFS, and NFS). 


Is the Novell Client Right for Your Network? 


Although Novell offers services that don't require Novell Client, (such as NetStorage, Novell iFolder 
3.9.2, and iPrint), many network administrators prefer that their network users access the network 
through the client for the following reasons: 


* They prefer eDirectory authentication to LDAP authentication because they believe it is more 
secure. 

* They prefer the NetWare Core Protocol (NCP) over the Microsoft CIFS protocol because they 
believe that CIFS is more vulnerable to the propagation of viruses on the network. 


Conversely, other network administrators are equally adamant that their users function better without 
the added overhead of running an NCP client on each workstation. 
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We can’t determine what is best for you or your network, but we do provide you with viable choices. 


Differences between Linux and Windows 


There are some differences between the Linux and Windows clients. These are documented in 
“Understanding How the Novell Client for Linux Differs from the Novell Client for Windows 2000/XP” 
in the Novell Client 2.0 SP3 for Linux Administration Guide. 


eDirectory User Access to OES Servers 


eDirectory users have access to services on OES servers just like they do on NetWare, with one 
additional consideration—to access some of the services, users must have Linux user credentials, 
such as a user ID (UID) and primary group ID (GID). 


Because eDirectory users don't have Linux user credentials by default, Novell provides the Linux 
User Management (LUM) technology. Users and groups who need access to the affected services, 
must be enabled for eDirectory LDAP authentication to the local server. For more information, see 
"Linux User Management: Access to Linux for eDirectory Users" on page 213. 


16.12 Planning for Service Access 


After you understand the access options available to your network users, you can decide which will 
work best on your network. 


Planning tips for network services are contained in the following sections: 


* "Planning File Service Access" on page 233 
* "Planning Print Service Access” on page 234 


¢ “Matching Protocols and Services to Check Access Requirements" on page 235 


Planning File Service Access 


As you plan which file services to provide, be aware of the file service/volume and feature support 
limitations outlined in the following sections. 


* "Service Access to Volume Type Limitations" on page 233 
* "Feature Support" on page 234 


Service Access to Volume Type Limitations 


Supported combinations are outlined in Table 16-4. 
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Table 16-4 Service Access to Volume Types 


File Service Linux POSIX Volumes NSS Volumes on Linux 

AFP No Yes-Novell AFP 

CIFS Yes-Novell Samba Yes-Novell CIFS, Novell Samba 
NetStorage Yes Yes 

NetWare Core Protocol (NCP) Yes Yes 

NFS Yes Yes-NFSv3 

Novell iFolder 2.1x No No 

Novell iFolder 3.9.2 Yes Yes 


Details about the file systems supported by each file service are explained in the documentation for 


the service. 


Be aware that file services support different sets of access protocols. A summary of the protocols 
available for access to the various OES file services is presented in "Matching Protocols and Services 
to Check Access Requirements" on page 235. 


Feature Support 


Table 16-5 Features Supported on Each Volume Type 


Feature Linux POSIX Volumes NSS Volumes on Linux 

Directory quotas No Yes 

Login scripts Yes (if also defined as an NCP Yes 
volume) 

Mapped drives Yes (if configured as an NCP Yes 
volume) 

Novell directory and file attributes No Yes 

Purge/Salvage No Yes 

Trustee rights Yes (if configured as an NCP Yes 
volume) 

User space quotas No Yes 


Planning Print Service Access 


Novell iPrint has access control features that let you specify the access for each eDirectory User, 
Group, or container object to your printing resources. 


You can also use iPrint to set up print services that don't require authentication. 


NOTE: Access control for printers is supported only on the Windows iPrint Client. 


For more information on access control and iPrint, see "Setting Access Control for Your Print System" 
in the OES 11 SP3: iPrint Linux Administration Guide 
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Matching Protocols and Services to Check Access Requirements 


Figure 16-3 illustrates the access interfaces available to users in OES and the services that each 
interface can connect to. It also shows the protocols that connect access interfaces with network 
services. 


To use this for planning: 


1. Review the different access interfaces in the left column. 
2. In the middle column, review the protocols each interface supports. 


3. In the right column, view the services available to the interfaces via the protocols. 


Figure 16-3 Access Interfaces and Services, and the Protocols That Connect Them 
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16.1.3 


16.1.4 


16.1.5 


Coexistence and Migration of Access Services 


Because NetWare Core Protocol (NCP) is available in OES, your Novell Client users can attach to 
OES servers as easily as they have been able to attach to NetWare servers. In fact, they probably 
won't notice any changes. 


NCP Server for Linux enables support for login scripts, mapping drives to OES servers, and other 
services commonly associated with Novell Client access. This means that Windows users with the 
Novell Client installed can now be seamlessly transitioned to file services on OES. And with the 
Novell Client for Linux, Windows users can be moved to SUSE Linux Enterprise Desktop with no 
disruption in NCP file services. 


For more information, see the OES 11 SP3: NCP Server for Linux Administration Guide. 


Access Implementation Suggestions 


After you plan and install OES services, be sure to provide clear access instructions to your network 
users. For a summary of access methods, see Appendix D, "Quick Reference to OES User Services,” 
on page 321. 


Configuring and Administering Access to Services 


The following sections discuss administering access to services. 


* "Password Management" on page 236 
* "Linux (POSIX) File System Access Rights" on page 236 
* "NSS File and Directory Trustee Management" on page 237 


Password Management 


Many network administrators let users administer their own passwords. For more information on 
password self management, see "Password Self-Service" in the NetIQ Password Management 
Administration Guide. 


Linux (POSIX) File System Access Rights 


Access control to Linux POSIX file systems is controlled through POSIX file system access rights or 
attributes associated with directories and files. In general, the directories and files can be accessed 
by three POSIX entities: 

* The user who owns the directory or file 

* The group who owns the directory or file 

* All other users defined on the system 


These users and the affected group are each assigned (or not assigned) a combination of three 
attributes for each directory and file: 
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Table 16-6 Linux Access Rights 


Attribute Effect on Directory when Assigned Effect on File when Assigned 

Read Lets the user or group view the directorys Lets the user or group open and read the 
contents. file. 

Write Lets the user or group create or delete files Lets the user or group modify the file. 


and subdirectories in the directory. 


Execute Lets the user or group access the directory Lets the user or group run the file as a 
by using the cd command. program. 


For more information, see "Configuring Trustees and File System Attributes" in the OES 11 SP3: File 
Systems Management Guide. 


NSS File and Directory Trustee Management 


The OES 11 SP3: File Systems Management Guide contains a thorough discussion of file and 
directory trustee management in its "Configuring Trustees and File System Attributes" section. 


The following sections present brief information about managing trustees on NSS volumes. 


* "Using NetStorage to Change File and Directory Attributes and Trustees" on page 237 

* "Using the Novell Client to Change File and Directory Attributes and Trustee Rights" on page 237 
* "Using iManager 2.7 to Change File and Directory Attributes and Trustee Rights" on page 237 

* "Using the Linux Command Prompt to Change File Attributes" on page 237 

* "Using the Linux Command Prompt to Change Trustee Rights" on page 238 


Using NetStorage to Change File and Directory Attributes and Trustees 


You can use the NetStorage Web browser interface to change attributes and trustees for directories 
and files on NSS volumes, but you can't change them by using a WebDAV connection to NetStorage. 


Using the Novell Client to Change File and Directory Attributes and Trustee 
Rights 


You can use the Novell Client to change NSS file and directory attributes and to grant trustee rights to 
an NSS volume on an OES server. For more information, see “NetWare File Security" in the Novell 
Client 4.91 SP5 for Windows XP/2003 Installation and Administration Guide and "Managing File 
Security" in the Novell Client 2.0 SP3 for Linux Administration Guide. 


Using iManager 2.7 to Change File and Directory Attributes and Trustee Rights 


You can use the iManager 2.7 Files and Folders plug-in to manage directories and files on NCP and 
NSS volumes. For more information, see the plug-in help. 


Using the Linux Command Prompt to Change File Attributes 
Use the attrib command to change file and directory attributes on an NSS volume. 


The attrib command is also documented in "Using the Attrib Utility to Set NSS File System 
Attributes" in the OES 11 SP3: File Systems Management Guide. 


You can also enter the following command at the command prompt: 
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16.2.1 


attrib --help 


Using the Linux Command Prompt to Change Trustee Rights 
To grant NSS trustee rights to an NSS volume, enter the following command: 
rights -f /full/directory/path -r rights_mask trustee full.object.context 


where /full/directory/path is the path to the target directory on the NSS volume, rights_mask is the list 
of NSS rights, and full. object.context is the object (User or Group) in its full eDirectory context 
including the tree name. 


For example, you might enter the following: 
rights -f /data/groupstuff -r rwfc trustee mygroup.testing.example_tree 
For a complete list of command options, enter rights at the command prompt. 


The rights command is also documented in “Using the Rights Utility to Set Trustee Rights for the NSS 
File System” in the OES 11 SP3: File Systems Management Guide. 


Authentication Services 


This section briefly discusses the following topics: 


* Section 16.2.1, “Overview of Authentication Services,” on page 238 

¢ Section 16.2.2, “Planning for Authentication,” on page 241 

* Section 16.2.3, “Authentication Coexistence and Migration,” on page 241 

* Section 16.2.4, "Configuring and Administering Authentication,” on page 241 


Overview of Authentication Services 


This section provides specific overview information for the following key OES components: 


* "Netldentity Agent" on page 238 
+ “NetlQ Modular Authentication Services (NMAS)” on page 239 
+ "Password Support in OES” on page 239 


For more authentication topics, see "access, authenticate, log in (http://www.novell.com/ 
documentation/oes11/index.html#cat_acc-auth-log)” in the OES online documentation. 


Netldentity Agent 


In OES 11, the Netldentity Agent works with NetIQ eDirectory authentication to provide background 
eDirectory authentication to NetStorage through a secure identity ^wallet" on the workstation. 


Netldentity Agent browser authentication is supported only by Windows Internet Explorer. 


The Novell Client provides authentication credentials to Netldentity, but it does not obtain 
authentication credentials from Netldentity because it is not a Web-based application. 


Netldentity Agent requires 
+ XTier (NetStorage) on the OES 11 server included in the URL for the Web-based applications. 


* The Netldentity agent installed on the workstations. 
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For more information on using the Netldentity agent, see the Net/dentity Administration Guide for 
NetWare 6.5. 


NetlQ Modular Authentication Services (NMAS) 


NetIQ Modular Authentication Services (NMAS) lets you protect information on your network by 
providing various authentication methods to NetlQ eDirectory on NetWare, Windows, and UNIX 
networks. 


These login methods are based on three login factors: 


* Password 
* Physical device or token 


* Biometric authentication 
For example: 


* You can have users log in through a password, a fingerprint scan, a token, a smart card, a 
certificate, a proximity card, etc. 


* You can have users log in through a combination of methods to provide a higher level of security. 


Some login methods require additional hardware and software. You must have all of the necessary 
hardware and software for the methods to be used. 


NMAS software consists of the following: 


* NMAS server components: Installed as part of OES. 


* The NMAS Client: Required on each Windows workstation that will be authenticating using 
NMAS. 


Support for Third-Party Authentication Methods 


Novell Client distributions include a number of NMAS login methods. 


For more information on how to use NMAS, see the Net/Q Modular Authentication Services 
Administration Guide. 


Password Support in OES 


In the past, administrators have needed to manage multiple passwords (simple password, NDS 
passwords, Samba passwords) because of password differences. Administrators have also needed 
to deal with keeping the passwords synchronized. 


In OES you have the choice of retaining your current password maintenance methods or deploying 
Universal Password to simplify password management. For more information, see the Net/Q 
Password Management Administration Guide. 


All Novell products and services are being developed to work with extended character (UTF-8 
encoded) passwords. For a current list of products and services that work with extended characters, 
see Novell TID 3065822 (http://www.novell.com/support/ 
search.do?cmd=displayKC&docType=kc&externalld=3065822&sliceld=1&docTypelD=DT_TID_1 1 
&dialoglD-77556590&stateld-09620096207 7560425). 


The password types supported in eDirectory are summarized in Table 16-7. 
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Table 16-7 eDirectory Password Types 


Password Type 


NDS 


Description 


The NDS password is stored in a hash form that is nonreversible in eDirectory. Only the 
NDS system can make use of this password, and it cannot be converted into any other 
form for use by any other system. 


Novell AFP and 
Novell CIFS 


In OES 11 SP3, AFP and CIFS users have Universal Password policies assigned by 
default. More information about password policy planning is available in Appendix J, 
"Coordinating Password Policies Among Multiple File Services," on page 359. 


Samba 


In OES 11 SP3, Samba users have a Universal Password policy assigned by default. 


OES 11 SP3 also supports the Samba hash password if desired. However, you must 
choose to not deploy Universal Password if you want to use the Samba hash password. 
Choosing the Samba password requires that users always remember to synchronize it 
when changing their eDirectory password. 


For more information, see “Samba Passwords" in the OES 11 SP3: Novell Samba 
Administration Guide. 


Simple 


The simple password provides a reversible value stored in an attribute on the User object 
in eDirectory. NMAS securely stores a clear-text value of the password so that it can use it 
against any type of authentication algorithm. To ensure that this value is secure, NMAS 
uses either a DES key or a triple DES key (depending on the strength of the Secure 
Domain Key) to encrypt the data in the NMAS Secret and Configuration Store. 


The simple password was originally implemented to allow administrators to import users 
and hashed passwords from other LDAP directories such as Active Directory and 
iPlanet*. 


The limitations of the simple password are that no password policy (minimum length, 
expiration, etc.) is enforced. Also, by default, users do not have rights to change their own 
simple passwords. 


Universal 


Universal Password (UP) enforces a uniform password policy across multiple 
authentication systems by creating a password that can be used by all protocols and 
authentication methods. 


Universal Password is managed in iManager by the Secure Password Manager (SPM), a 
component of the NMAS module installed on OES servers. All password restrictions and 
policies (expiration, minimum length, etc.) are supported. 


All the existing management tools that run on clients with the UP libraries automatically 
work with the Universal Password. 


Universal Password is not automatically enabled unless you install Novell AFP, Novell 
CIFS, Domain Services for Windows, or Novell Samba on an OES server. (You can 
optionally choose to have the Samba hash password stored separately. This requires, 
however, that users always synchronize the Samba password when changing their 
eDirectory password.) 


The Novell Client supports the Universal Password. It also supports the NDS password 
for older systems in the network. The Novell Client automatically upgrades to use 
Universal Password when UP is deployed. 


For more information, see “Deploying Universal Password” in the NetIQ Password 
Management Administration Guide. 
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16.2.2 


16.2.3 


16.2.4 


Planning for Authentication 


For planning topics, see the “access, authenticate, log in (http:/Avww.novell.com/documentation/ 
oesi1/index.html#cat_acc-auth-log)” in the OES online documentation. 


Authentication Coexistence and Migration 


n 


For authentication and security coexistence and migration information, see "Chapter 22, "Security, 
on page 289 and Chapter 23, "Certificate Management," on page 303” in this guide. 


Configuring and Administering Authentication 
For a list of configuration and administration topics, see "access, authenticate, log in (http:// 


www.novell.com/documentation/oes11/index.html#cat_acc-auth-log)” in the OES online 
documentation. 
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17.1 


17.2 


17.2.1 


17.2.2 


Backup Services 


The following sections briefly outline the backup services available in Open Enterprise Server 11 
SP3. 


* Section 17.1, "Services for End Users,” on page 243 
¢ Section 17.2, “System-Wide Services," on page 243 


Services for End Users 


OES 11 SP3 offers a number of services to automatically back up your network users' data files. 


* Archive and Version Services: If you implement Archive and Version Services on your 
network, your users can instantly restore any previous version of a modified, renamed, or 
deleted network file on an NSS volume without requiring assistance from the IT staff. 


* iFolder 3.9.2: By implementing Novell iFolder 3.9.2, you empower your users to have their local 


files automatically follow them everywhere—online, offline, all the time—across computers. 


Users can share files in multiple iFolders, and share each iFolder with a different group of users. 
Users control who can participate in an iFolder and their access rights to the files in it. Users can 


also participate in iFolders that others share with them. 


* Salvage and Purge: By default, all NSS volumes have the Salvage system enabled at the time 
they are created. With Salvage enabled, deleted files are retained on the volume for a short time, 


during which users can restore (salvage) them. File are eventually purged from the system, 


either manually, or by the system when the Purge Delay setting times out or space is needed on 


the volume. 


System-Wide Services 


OES offers both Novell Storage Management Services and services that are available as part of the 


SUSE Linux Enterprise Server distribution. 


¢ Section 17.2.1, "Links to Backup Partners," on page 243 
¢ Section 17.2.2, "Novell Storage Management Services (SMS),” on page 243 
¢ Section 17.2.3, “SLES 11 Backup Services," on page 244 


Links to Backup Partners 


See the Partners and Communities page on Novell.com (http://www.novell.com/products/ 
openenterpriseserver/partners communities.html). 


Novell Storage Management Services (SMS) 


+ "Understanding SMS" on page 244 
* "SMS Coexistence and Migration Issues" on page 244 
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17.2.3 


Understanding SMS 


Novell Storage Management Services (SMS) is not a backup application. Rather, it provides a 
standard framework and the necessary interfaces that can be used in developing a complete backup/ 
restore solution. SMS helps back up file systems (such as NSS) on OES servers to removable tape 
media or other media for offsite storage. 


SMS is implemented as two independent components that provide functional abstractions: 


* Storage Management Data Requestor (SMDR) defines the API framework, provides remote 
connectivity, and abstracts the details of communication between servers. 


* Target Service Agent (TSA) provides an implementation of SMS APIs for a particular target. The 
TSA provides transparency by abstracting details of the specific service being backed up. 


For example, various applications use the file system TSA to back up and restore NSS file 
system data and metadata (trustee assignments, file attributes, and name spaces). 


SMS Coexistence and Migration Issues 


In OES 11, the SMS API framework is available on SLES 11 so that there is a single consistent 
interface to back up file systems on NetWare, file systems on Linux, and Novell applications such as 
GroupWise and Novell iFolder. The API set has been enhanced to include new functionality for OES. 


Most of the SMS coexistence and migration issues are of concern only to backup application 
developers. However, administrators should be aware that SMS-based applications must be used to 
back up and restore NSS file system data on OES servers. Although NSS is exposed as a Virtual File 
System-compliant file system, the Linux interfaces are inadequate to back up NSS file system 
attributes, rich ACLs, trustees, and multiple data streams. 


For additional information, see “Coexistence and Migration Issues” in the OES 11 SP3: Storage 
Management Services Administration Guide for Linux. 


SLES 11 Backup Services 


Two SLES 11 services might be of interest. 


* DRBD: This lets you to create a mirror of two block devices at two different sites across an IP 
network. When used with HeartBeat 2 (HB2), DRBD supports distributed high-availability Linux 
clusters. For more information, see Distributed Replicated Block Device (DRBD) (http:// 
www.novell.com/documentation/sle_ha/book_sleha/data/cha_ha_drbd.html) in the SLES 11 
High Availability Guide (http://www.novell.com/documentation/sle_ha/book_sleha/data/ 
book_sleha.html). 


¢ rsync: This is useful when large amounts of data need to be backed up regularly or moved to 
another server, such as from a staging server to a Web server in a DMZ. For more information, 
see “Introduction to rsync” (http://www.suse.com/documentation/sles11/book_sle_admin/data/ 
sec_net_sync_rsync.html) in the SLES 11 Installation and Administration Guide (http:// 
WwWw.suse.com/documentation/sles11/book sle admin/data/book sle admin pre.html). 
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e File Services 


The file services in Open Enterprise Server 11 SP3 let you provide Web-based and network-based 
file services to your network users. 


This section contains the following information: 


* 


* 


* 


* 


* 


Section 18.1, "Overview of File Services," on page 245 

Section 18.2, "Planning for File Services," on page 255 

Section 18.3, "Coexistence and Migration of File Services," on page 258 

Section 18.4, "Aligning NCP and POSIX File Access Rights," on page 260 

Section 18.5, "Novell FTP (Pure-FTPd) and OES 11 SP3,” on page 264 

Section 18.6, "NCP Implementation and Maintenance," on page 272 

Section 18.7, "NetStorage Implementation and Maintenance," on page 273 

Section 18.8, "Novell AFP Implementation and Maintenance," on page 275 

Section 18.9, "Novell CIFS Implementation and Maintenance," on page 276 

Section 18.10, "Novell iFolder 3.9.2 Implementation and Maintenance," on page 277 


Section 18.11, "Samba Implementation and Maintenance," on page 278 


18.1 Overview of File Services 


The file service components in OES include the following: 


* 


* 


The file service components in OES are generally compatible. However you cannot run Novell 


FTP Services (page 246): Lets users securely transfer files to and from OES servers. 


NetWare Core Protocol (page 246): Provides NetWare Core Protocol (NCP) access to NCP 


volumes (including NSS volumes) that you define on OES server partitions. 


NetStorage (page 247): Provides network and Web access to various file services through 


common file service protocols, such as CIFS. 


The NetStorage server doesn’t actually store files and folders. Rather, it provides access to other 


file services that support the native TCP/IP protocol. 


Novell AFP (page 250): Provides native Macintosh access to files stored on an NSS volume on 


an OES server. 


Novell CIFS (page 251): Provides native Windows (CIFS and HTTP-WebDAV) access to files 


stored on an NSS volume on an OES server. 


Novell iFolder 3.9.22 (page 252): Provides a Web-based and network-based repository (Novell 


iFolder server) that stores master copies of locally accessible files on the OES server. 


Novell Samba (page 253): Provides Windows (CIFS and HTTP-WebDAV) access to files stored 


on an OES server's file system. 


Samba on the same OES server as Novell AFP, Novell CIFS, or Domain Services for Windows, which 


is not reviewed as a file service, but includes an alternative Samba file service instead of Novell 


Samba. 
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18.1.1 


18.1.2 


18.1.3 


Using the File Services Overviews 


Each graphical overview in the following sections introduces one of the OES file service components. 
If visual presentations help you grasp basic concepts, continue with the following overviews. If you 
prefer to skip the overviews, go to Section 18.2, "Planning for File Services," on page 255. 


FTP Services 


OES 11 SP3 offers a level of integration between eDirectory and Pure-FTP that allows users to 
authenticate to eDirectory for FTP access to the server. You simply select the Novell FTP Server 
pattern in the OES 11 SP3 installation, then make sure the users needing access are LUM-enabled 
and have access rights to the areas on the server they need to use. You can also migrate an existing 
FTP server configuration from a NetWare server to OES 11 SP3. 


For migration instructions and a brief FAQ, see “Migrating FTP to OES 11 SP3” in the OES 11 SP3: 
Migration Tool Administration Guide. 


For documentation on Pure-FTP, visit the Pure-FTP Web site (http://pureftpd.sourceforge.net/ 
documentation.shtml). 


NetWare Core Protocol 


NetWare Core Protocol (NCP) is the technology beneath many of the network services for which 
NetWare is famous. 


In OES, NCP is also available on Linux. The Novell NCP Server for Linux provides the rich file 
services that Novell is known for. Windows and Linux users who run Novell Client software can 
access data, manage files and folders, map drives, etc., using the same methods as they do on 
NetWare servers. 


Figure 18-1 illustrates the basics of NCP file services. For more information on how NCP can help 
you manage access to network resources, see "Access Control and Authentication" on page 227. 
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Figure 18-1 NCP Services for Linux and NetWare 
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The following table explains the information illustrated in Figure 18-1. 


Table 18-1 NCP Access 


Access Methods Authentication NCP Services 

Access is through an NCP client— All file service access is controlled Files are stored on NetWare or NCP 

specifically, the Novell Client. by eDirectory authentication. volumes that the administrator has 
created. 


The same core set of NetWare file 
attributes are available on both Linux 
and NetWare. 


18.14  NetStorage 


* "Common Network File Storage Problems" on page 247 
* "NetStorage" on page 248 


NetStorage makes network files available anywhere, any time. 


Common Network File Storage Problems 


Network file access is often confusing and frustrating to users, as illustrated in Figure 18-2. 
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Figure 18-2 Common Network File Storage Problems 
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The following table explains the information illustrated in Figure 18-2. 


Table 18-2 NetStorage Access Solutions 


Access Methods Authentication Target File Systems Solution: NetStorage 
Browser or PDA accessis Authentication helps Having diverse file Novell NetStorage ties 
critical to those who must protect information storage services only all of these issues 
travel. However, access assets, but having diverse adds to the complexity together with an easy- 
method support varies authentication methods and confusion. to-administer, easy-to- 
widely among file service leads to frustration and use solution. 
providers. lost productivity. 

NetStorage 


NetStorage on OES provides local and Web access to files on many systems without requiring the 
Novell Client (see Figure 18-3). 
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Figure 18-3 How NetStorage Works on OES 
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The following table explains the information illustrated in Figure 18-3. 
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Table 18-3 NetStorage on Linux 


Access Methods Authentication NetStorage Server Target Servers 
Users have read and write File service access is The NetStorage server NetStorage on Linux can 
access to files from controlled by LDAP- receives and connect eDirectory users to 
based authentication processes connection their files and folders stored 
* Windows Explorer: through the eDirectory requests and provides _ in the following locations: 
LDAP server. access to storage on 
Enabled by the HTTP various servers onthe  * Windows workgroup 
protocol with WebDAV Although shown network. shares (CIFS or 
extensions. separately, eDirectory Samba shares) 
« (Broweere:Usersican could be running on the + Linux POSIX volumes 
access files directly by CES server, through an SSH 
connecting to the connection. 


NetStorage server. 


* PDAs: PDA users with 
network connections can 
access their files as well. 


Linux volumes can also be 
made available as NCP 
volumes. 


Management of NSS 
volumes on OES through 
NetStorage requires SSH 
access to the server. See 
"When Is SSH Access 
Required?" on page 151. 


Access is granted through 
login script drive mapping 
(NCP server required) or 
through Storage Location 
Objects. 


18.15 Novell AFP 


The Novell AFP service lets users on Macintosh workstations access and store files on OES servers 
with NSS volumes (see Figure 18-4). 


Figure 18-4 How Novell AFP Works 
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Table 18-4 AFP Access 


Access Points Authentication 


eDirectory users on Macintosh workstations All file service access is 

have native access to NSS volumes on the controlled by LDAP-based 

OES server. authentication through the 
eDirectory LDAP server. 


Although shown separately, 
eDirectory could be installed on 


the OES server. 


Novell CIFS 


AFP File Services 


Of course, the same files can 
also be accessed through other 
OES file services (such as 
NetStorage) that connect to 
NSS volumes. 


The Novell CIFS service lets users on Windows workstations access and store files on OES servers 
with NSS volumes without installing any additional software, such as the Novell Client (see Figure 18- 


4). 


Figure 18-5 How Novell CIFS Works 
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Table 18-5 CIFS Access 


Access Methods 


eDirectory users on Windows workstations 
have two native Windows file access 
options: 


* CIFS Client Access: Windows 
Explorer users can access and modify 
files on the OES server just as they 


would on any workgroup server share. 


* Web Folder: Users can create Web 
Folders in Windows Explorer or 
Internet Explorer. 


Files on the OES server are accessed 
and maintained with the HTTP- 
WebDAV protocol. 


Novell iFolder 3.9.22 


Authentication CIFS File Services 


All file service access is 
controlled by LDAP-based 
authentication through the 
eDirectory LDAP server. 


Of course, the same files can 
also be accessed through other 
OES file services (such as 
NetStorage) that connect to 


NSS volumes. 
Although shown separately, 


eDirectory could be installed on 
the OES server. 


Novell iFolder 3.9.2 supports multiple iFolders per user, user-controlled sharing, and a centralized 
network server for file storage and secure distribution (see Figure 18-6). 


Figure 18-6 How Novell iFolder Works 
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The following table explains the information illustrated in Figure 18-6. 


Table 18-6 iFolder Access 


Access Methods Authentication/File Encryption Novell iFolder 3.9.2 
Services 

Linux, Mac, and Windows workstation All file service access is controlled Slave servers can be added 

users who have the Novell iFolder Client by LDAP- based authentication as needed, providing the 

installed can access and modify their files through the eDirectory LDAP ability to dynamically grow 

in one or more workstation folders. server. iFolder services without 

Changes are automatically synchronized disrupting users. 


with the iFolder 3.9.2 Enterprise servers. Although shown separately, 
eDirectory could be installed on the Local and network copies of 


A Web interface lets users access their files OES server. each file are automatically 
from any computer with an active network . synchronized by the Novell 
or Internet connection. Files can be encrypted for transport Folder Client and Server 


using SSL connections (HTTPS). ^ pieces, 


Additional overview information is available in the Novell iFolder 3.9.2 Administration Guide. 


Novell Samba 


Novell Samba on an OES server provides Windows (CIFS and HTTP-WebDAV) access to files stored 
on the OES server (see Figure 18-7). 
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Figure 18-7 How Samba on OES Works 
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The following table explains the information illustrated in Figure 18-7. 
Table 18-7 Samba Access 
Access Methods Authentication File Storage Services 
eDirectory users on Windows workstations All file service access is Of course, the same files can 
have two native Windows file access controlled by LDAP-based also be accessed through other 
options (if their eDirectory accounts have authentication through the OES file services (such as 
been enabled for LUM and Samba): eDirectory LDAP server. NetStorage) that connect to 


Linux volumes. 
* CIFS Client Access: Windows Although shown separately, 


Explorer users can access and modify eDirectory could be installed on 
files on the Samba server just as they the OES server. 
would on any workgroup server share. 


* Web Folder: Users can create Web 
Folders in Windows Explorer or 
Internet Explorer. 


Files on the OES server running 
Samba are accessed and maintained 
with the HTTP-WebDAV protocol. 
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18.2.1 


Samba is an open source initiative. In addition to Linux support, Samba initiatives provide support for 
other platforms such as Apple Computer’s operating systems. More information is available on the 
Web (http://www.samba.org). 


Planning for File Services 


Functional overviews of each file service product are included in Section 18.1, “Overview of File 
Services,” on page 245. 


¢ Section 18.2.1, “Deciding Which Components Match Your Needs,” on page 255 
¢ Section 18.2.2, "Comparing Your CIFS File Service Options,” on page 256 


¢ Section 18.2.3, "Planning Your File Services," on page 257 


Deciding Which Components Match Your Needs 


To decide which file service components to install, you should match service features listed in Table 
18-8 to your network's file service requirements. 


Table 18-8 OES File Services Feature Breakdown 


Service Access Method Features Back-End Storage Features Security Features 

NCP Server Novell Client (NCP client) * Any Linux volumes * eDirectory 

(NetWare Core (including NSS) that are Authentication 

Protocol) defined as NCP volumes 

NetStorage * Any supported * Linux POSIX volumes * Secure LDAP 
browsers Authentication 


* NCP volumes 
* Personal Digital 
* 
Assistant (PDA) NSS volumes 
* * Samba (CIFS) servers 
Remote access 


(browser-based) * Windows (CIFS) servers 


* Web Folders (on either 
an Internet Explorer 
browser or in Windows 
Explorer) 


* Windows Explorer 


Novell AFP * Macintosh Chooser * NSS volumes * Secure LDAP 
Authentication 
Novell CIFS * Any CIFS client * NSS volumes * Secure LDAP 
Authentication 


* Remote access (Web 
Folders in the Internet 
Explorer browser) 


* Windows Explorer 
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Service Access Method Features Back-End Storage Features Security Features 


Novell iFolder 3.9.2 * Linux File Managers * Novell iFolder 3.9.2 * Files can be 
: Enterprise server file encrypted for 
* 
MRCINGSI chooser repository on OES server transport through 
* Offline access with file SSL (HTTPS). 
synchronization + Secure LDAP 
(between local and AS 
: Authentication 
network copies) on 
reconnect 
* Web browsers 
* Windows Explorer 
Except for Web browser 
access, each method above 
requires an installed iFolder 
client. 
Novell Samba * Any CIFS client * Linux POSIX file system * Secure LDAP 
on OES server Authentication 


* Remote access (Web 
Folders in the Internet * NSS volumes 
Explorer browser) 


* Windows Explorer 


18.2.2 Comparing Your CIFS File Service Options 


OES offers three file services that use the CIFS protocol: Novell CIFS, Novell Samba, and Samba in 
Domain Services for Windows (DSfW). 


Table 18-9 Comparing OES CIFS Solutions 


Item Novell CIFS Novell Samba Samba in DSfW 
Authentication A Password policy that A Samba-compatible The Domain Services Password 
allows the CIFS proxy user Password policy is required policy is required for DSfW 
to retrieve passwords is for compatibility with users. The domain is set up as 
required. Windows workgroup a trusted environment. 
authentication. 


DSfW uses Active Directory 
authentication methods, such 
as Kerberos, to ensure that only 
authorized users can log in to 
the domain. 
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Item Novell CIFS Novell Samba Samba in DSfW 


File system NSS is the only file system It is recommended (but not required) that you create Samba 
support supported for this release. shares on NSS data volumes. 


NSS is fully integrated with eDirectory for easier 
management, and using an NSS volume allows you to take 
advantage of the rich data security model in NSS. You can 
use either iManager or the nssmu utility to create an NSS 
volume on an OES server. For instructions on how to set up 
an NSS volume, see "Managing NSS Volumes" in the OES 11 
SP3: File Systems Management Guide. 


LUM and Samba LUM and Samba Users must be enabled for eDirectory users in the domain 
enablement enablement are not LUM and Samba and (eDirectory partition) are 
required. assigned to a Samba automatically Samba users and 
group. are enabled to access Samba 


shares. See "Creating Users" in 
the OES 11 SP3: Domain 
Services for Windows 
Administration Guide. 


Domain users are set up with 
the necessary UID and default 
group (DomainUsers) 
membership. 


Every additional eDirectory 
group created within the domain 
is automatically Linux-enabled. 


Username and The same username and The same username and eDirectory users in the domain 

password password must exist on password must exist on (eDirectory partition) can log 
both the Windows both the Windows into any workstation that has 
workstation and in workstation and in joined the domain. There is no 
eDirectory. eDirectory. need for a corresponding user 


object on the workstation. 


18.2.3 Planning Your File Services 


1 For the file services you plan to install, compute the total additional RAM required (above the 
basic system requirement). 


* NCP: There are no additional RAM requirements. 

* NetStorage: There are no additional RAM requirements. 
* Novell AFP: There are no additional RAM requirements. 
* Novell CIFS: There are no additional RAM requirements. 


* Novell iFolder 3.9.2: Suggestions for calculating the additional RAM you need are 
contained in "Server Workload Considerations" in the Novell iFolder 3.9.2 Administration 
Guide. 


* Samba: There are no additional RAM requirements. 


2 Record the additional required RAM in your planning notes. 
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3 For the file services you plan to install, compute the total additional disk space required (above 
the basic system requirement). 


* 


NCP: Allocate enough disk space to meet your users’ file storage needs. On Linux, this 
space must exist on partitions you have designated as NCP volumes. 


NetStorage: There are no disk space requirements because NetStorage provides access 
only to other file storage services. 


Novell AFP: Allocate enough disk space for the partition containing the /home directories to 
meet your users' file storage needs. 


Novell CIFS: Allocate enough disk space for the partition containing the /home directories 
to meet your users' file storage needs. 


Novell iFolder 3.9.2: Suggestions for calculating the additional disk space you need are 
contained in "Server Workload Considerations" in the Novell iFolder 3.9.2 Administration 
Guide. 


Samba: Allocate enough disk space for the partition containing the /home directories to 
meet your users' file storage needs. 


4 Record the additional required disk space in your planning notes. 


5 For the file services you plan to install, refer to the information in the sections of the OES 11 SP3 
installation guide that are indicated in the following table. 


Note your planning choices on your planning sheet. 


File Service Product Linux Planning References 

NCP "Novell NCP Server / Dynamic Storage Technology" in the OES 11 SP3: 
Installation Guide 

NetStorage "Novell NetStorage" in the OES 11 SP3: Installation Guide 

Novell AFP "Novell AFP Services" in the OES 11 SP3: Installation Guide 

Novell CIFS "Novell CIFS for Linux" in the OES 11 SP3: Installation Guide 

Novell FTP "Novell FTP Services" in the OES 11 SP3: Installation Guide 

Novell iFolder 3.9.2 "Novell iFolder" in the OES 11 SP3: Installation Guide 

Samba "Novell Samba" in the OES 11 SP3: Installation Guide 


Coexistence and Migration of File Services 


Storing shared data on network servers is only half of the picture. The other half is making it possible 


for users 


of Windows, Macintosh, and UNIX/Linux workstations to access the data. 


This section discusses migration of the following services: 


¢ Section 18.3.1, "Novell Client (NCP),” on page 259 
¢ Section 18.3.2, “NetStorage,” on page 259 

¢ Section 18.3.3, “Novell AFP,” on page 259 

¢ Section 18.3.4, "Novell CIFS,” on page 259 

* Section 18.3.5, "Novell iFolder 3.9.2," on page 260 
¢ Section 18.3.6, “Samba,” on page 260 
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18.3.2 


18.3.3 


18.3.4 


Novell Client (NCP) 


Novell Client for Windows is the long-standing software solution for providing NCP access to 
NetWare data from Windows workstations. The Novell Client extends the capabilities of Windows 
desktops to access the full range of Novell services, such as authentication to eDirectory, network 
browsing and service resolution, and secure file system access. It supports traditional Novell 
protocols such as NCP, RSA, and NDAP, and it interoperates with open protocols such as LDAP. For 
more information on the Novell Client for Windows 7, see the Novell Client 2 SP1 for Windows 
Administration Guide. For older Windows workstations, see the Novell Client 4.91 SP5 for Windows 
XP/2003 Installation and Administration Guide 


The Novell Client for Linux provides these same services for Linux workstations. For more 
information on the Novell Client for Linux, see the Novell Client 2.0 SP3 for Linux Administration 
Guide. 


Because NCP is now available on Linux, Novell Client users can attach to OES servers as easily as 
they have been able to attach to NetWare servers. The NCP Server for Linux enables support for 
login script, mapping drives to OES servers, and other services commonly associated with Novell 
Client access. 


For more information on NCP Server for Linux, see the OES 11 SP3: NCP Server for Linux 
Administration Guide. 


NetStorage 


NetStorage provides Web access to the files and directories on OES servers from browsers and 
Web-enabled devices such as PDAs. 


Because NetStorage is a service that facilitates access to file services in various locations but doesn't 
actually store files, there are no coexistence or migration issues to consider. 


For more information about NetStorage, see the OFS 11 SP3: NetStorage Administration Guide for 
Linux. 


Novell AFP 


Novell AFP provides native AFP protocol access from Macintosh workstations to data on OES 
servers, offering the same basic AFP connectivity that was previously available only on NetWare. No 
Novell Client software is required. 


For information on migrating AFP services from NetWare to OES 11 SP3, see "Migrating AFP to OES 
11 SP3” in the OES 11 SP3: Migration Tool Administration Guide. 


Novell CIFS 


Novell CIFS provides native CIFS protocol access from Windows workstations to data on OES 
servers, offering the same basic CIFS connectivity that was previously available only on NetWare. No 
Novell Client software is required. 


For information on migrating CIFS services from NetWare to OES 11 SP3, see "Migrating CIFS to 
OES 11 SP3" in the OES 11 SP3: Migration Tool Administration Guide. 
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Novell iFolder 3.9.2 


iFolder 3.9.2 supports multiple iFolders per user, user-controlled sharing, and a centralized network 
of servers to provide scalable file storage and secure distribution. Users can share files in multiple 
iFolder folders, and share each iFolder folder with a different group of users. Users control who can 
participate in an iFolder folder and their access rights to the files in it. Users can also participate in 
iFolder folders that others share with them. 


Novell iFolder 3 is only available on OES. 


For information on migrating from iFolder 2 to iFolder 3.9.2, see "Migrating iFolder 2.x" in the OES 11 
SP3: Migration Tool Administration Guide. 


Samba 


OES includes Samba software to provide Microsoft CIFS and HTTP-WebDAV access to files on the 
server. Like Novell CIFS, this is useful to those who don't want to use the Novell Client. 


There is no migration path from Novell CIFS (NFAP) to Samba. 


For more information about Samba in OES 11 SP3, see the OES 11 SP3: Novell Samba 
Administration Guide. 


Aligning NCP and POSIX File Access Rights 


NetWare administrators have certain expectations regarding directory and file security. For example, 
they expect that home directories are private and that only the directory owner can see a directory's 
contents. However, because of the differences in the NetWare Core Protocol (NCP) and POSIX file 
security models (see Section 22.2.1, "Comparing the Linux and the Novell Trustee File Security 
Models," on page 291) that is not the case by default on POSIX file systems. 


Fortunately, when you install Linux User Management (LUM) in OES, there is an option to make 
home directories private. This option automatically provides the privacy that NetWare administrators 
are used to seeing. Unfortunately, the option only applies to newly created home directories, so there 
is more to understand and do if aligning access rights is an issue for you. 


Use the information in this section to understand how you can configure POSIX directories to more 
closely align with the NCP model. 

¢ Section 18.4.1, "Managing Access Rights,” on page 261 

¢ Section 18.4.2, "Providing a Private Work Directory,” on page 262 

¢ Section 18.4.3, "Providing a Group Work Area," on page 262 

¢ Section 18.4.4, "Providing a Public Work Area,” on page 263 

¢ Section 18.4.5, "Setting Up Rights Inheritance," on page 263 
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Managing Access Rights 


NCP directories are, by default, private. When you assign a user or a group as a trustee of a directory 
or file, those trustees can automatically navigate to the assigned area and exercise whatever access 
privileges you have assigned at that level and below. You can assign as many trustees with different 
access privileges as you need. 


On the other hand, Linux POSIX directories can be accessed through three sets of permissions 
defined for each file object on a Linux system. These sets include the read (r), write (w), and execute 
(x) permissions for each of three types of users: the file owner, the group, and other users. The Linux 
kernel in OES also supports access control lists (ACLs) to expand this capability. However, ACLs are 
outside the scope of this discussion. For more information on ACLs, see “Access Control Lists in 
Linux” (http://www.suse.com/documentation/sles11/book security/data/cha acls.html) in the SLES 
11 SP4: Security Guide (http:/Awww.suse.com/documentation/sles11/index.html). 


The Linux chown command lets you change the file owner and/or group to a LUM user or a LUM- 
enabled group. For example, chown -R user1 /home/useri changes the owner of the user1 home 
directory and all its subdirectories and files to user1. For more information, see the chown man page 
on your OES server. 


The Linux chmod command provides a very simple and fast way of adjusting directory and file access 
privileges for the three user types: owner, group, and other (all users). In its simplest form, the 
command uses three numbers, ranging from 0 through 7, to represent the rights for each of the three 
user types. The first number sets the rights for the owner, the second number sets the rights for the 
group, and the third number sets the rights for all others. Each number represents a single grouping 
of rights, as follows: 


Number Setting Binary Representation 
0 --- 000 
1 m 001 
2 -W- 010 
3 -WX 011 
4 r-- 100 
5 r-x 101 
6 rw- 110 
7 rwx 111 


Those familiar with the binary number system find this method an easy way to remember what each 
number represents. 


For example, the command chmod 777 /home would grant read, write and execute rights (7) to 
owner, group, and other for the /home directory, while chmod 700 /home would grant the three rights 
to only the directory owner, with group and other having no rights. chmod 750 /home would grant rwx 
rights to the owner, r-x rights to the group, and no rights to other users. 


For more information about the chmod command, see the chmod man page on your OES server. 
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Providing a Private Work Directory 


To make an NCP directory private, you assign a single user as the trustee and make sure that no 
unexpected users or groups have trustee rights in any of the parent directories. 


To provide a private work area on a Linux POSIX volume: 


1 Make the user is the directory owner. For example, you could use the chown command to 


change the owner (user), 
chown -R user: /path/user_dir 


where user is the eDirectory user, path is the file path to the work directory, and user_dir is the 
work directory name. The -R option applies the command recursively to all subdirectories and 
files. 


Grant only the user read, write, and execute rights (rwx --- --- ) to the directory. For example, you 
could use the chmod command as follows, 


chmod -R 700 /path/user_dir 
where path is the file path to the work directory, and user_dir is the work directory name. 


Check each parent directory in the path up to the root (/) directory, making sure that all users 
(referred to as “other users” in Linux) have read and execute rights (r-x) in each directory as 
shown by the third group of permissions (...... r-x). (Owner and group permissions are 
represented by dots because their settings are irrelevant.) 


The reason for checking directories is that in the parent directories the directory owners are 
“other” users and they need to be able to see the path down to their own private directories. 


Because r-x is the default for most directories on Linux, you probably won't need to change the 
permissions. 


Providing a Group Work Area 


On an NCP volume, you can provide a group work area by assigning users to a group and then 
granting the group trustee rights to the directory. As an alternative, if users need different levels of 
access within the work area, you can assign each user as a trustee and grant only the rights needed. 


To provide a group work area on a Linux POSIX volume: 


1 Use the chown command to set group ownership for the directory. For example, you could enter 


chown -R :group /path/group dir 


where group is the group name, path is the file path to the work area, and group dir is the group 
work directory. The -R option applies the action to all subdirectories and files in group dir. 


Grant the group read, write, and execute rights (. . . rwx . . .). (Owner and other permissions are 
represented by dots because their settings are irrelevant.) 


For example, you could enter 
chmod -R 770 /path/group dir 


where path is the file path to the work area, and group dir is the group work directory. The 
second 7 grants rwx to the group. (The example assumes that the owner of the directory should 
also retain all rights. Therefore, the first number is also 7.) 
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3 Check each parent directory in the path up to the root (/)directory, making sure that the group 
has read and execute rights (r-x) in each directory as shown by the second group of permissions 
(...0-X...). 


Use the chmod command to adjust this where necessary by specifying the number 5 for the 
group permission. For more information, see “Section 18.4.1, “Managing Access Rights,” on 
page 261.” 


Providing a Public Work Area 


On an NCP volume, you can provide a public work area by assigning [Public] as a trustee and then 
granting the required trustee rights to the directory. 


For the work area itself, you would set permissions for the owner, group, and all others to read, write, 
and execute rights (rwx rwx rwx) (chmod 777). 


All others must also have read and execute rights on the system in each parent directory in the path 
all the way to the root of the Linux system. This means that you set permissions for all parent 
directories to rwx --- r-x. 


To provide a public work area on a Linux POSIX volume: 


1 Use the chown command to assign all rights (rwx) to other (all users). For example, you could 
enter 


chmod -R 707 /path/group dir 


where path is the file path to the work area, and group dir is the group work directory. The third 7 
grants rwx to the group. (The example assumes that the owner of the directory should also retain 
all rights and that the group setting is irrelevant.) 


2 Check each parent directory in the path up to the root (/)directory, making sure that all users 
(other) have read and execute rights (r-x) in each directory as shown by the third group of 
permissions (...... rwx). (Owner and group permissions are represented by dots because their 
settings are irrelevant.) 


Use the chmod command to adjust this where necessary by specifying the number 5 for the 
other permission. For more information, see "Managing Access Rights" at the beginning of this 
section. 


Setting Up Rights Inheritance 


The final step in aligning POSIX rights to the NCP model is setting the Inherit POSIX Permissions 
volume flag in the NCP configuration file so that all files and subdirectories created in these areas 
inherit the same permissions as their parent directory. For instructions, see "Configuring Inherit 
POSIX Permissions for an NCP Volume" in the OES 11 SP3: NCP Server for Linux Administration 
Guide. 
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Novell FTP (Pure-FTPd) and OES 11 SP3 


FTP file services on OES 11 SP3 servers are provided by Pure-FTPd, a free (BSD), secure, 
production-quality and standard-conformant FTP server. The OES implementation includes support 
for FTP gateway functionality as on NetWare and offers a level of integration between eDirectory and 
Pure-FTP that allows users to authenticate to eDirectory for FTP access to the server. 


This section discusses the following topics: 


¢ Section 18.5.1, "Planning for Pure-FTPd,” on page 264 

¢ Section 18.5.2, “Installing Pure-FTPd,” on page 264 

¢ Section 18.5.3, “Home Directory Support in Pure-FTPd,” on page 264 

¢ Section 18.5.4, “Configuring Pure-FTPd on an OES 11 SP3 Server,” on page 265 


¢ Section 18.5.5, “Administering and Managing Pure-FTPd on an OES 11 SP3 Server,” on 
page 266 


¢ Section 18.5.6, “Cluster Enabling Pure-FTPd in an OES 11 SP3 Environment,” on page 270 
¢ Section 18.5.7, “Migrating Pure-FTPd From NetWare to Linux,” on page 271 
¢ Section 18.5.8, “Troubleshooting Pure-FTPd from Novell,” on page 271 


Planning for Pure-FTPd 


Before installing Pure-FTPd, make sure that users requiring FTP access are LUM-enabled and have 
access rights to the areas on the server they need to use. 


Installing Pure-FTPd 


To install Pure-FTPd, select the Novell FTP Server pattern in the OES 11 SP3 installation. 


Home Directory Support in Pure-FTPd 


The FTP server supports a home directory for users on local and remote NCP servers. The remote 
server can be an OES server. When the home directory is set for the user in eDirectory, the user is 
placed in the home directory on successful login to the Linux server. 


Pure-FTPd supports three levels of home directory, default home directory, a user specific home 
directory on the local system, and a user specific home directory identified by the value set in 
eDirectory. 


POSIX User Home Directory 


The POSIX home directory is the directory that is available by default on POSIX file systems. The 
POSIX home directory is defined at the file system level and cannot be disabled. 


DefaultHomebDirectory and eDirectory home directories can be disabled. If one or both of them are 
enabled, the following is used to establish the precedence: 

* User specific home directory set in eDirectory 

* Default home directory 


* POSIX user home directory 
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User Specific Home Directory in eDirectory 


An administrator can set the home directory for eDirectory users as part of the User object in 
eDirectory. On successful login to the FTP server, the user is placed in the home directory set in the 
user object. The User's home directory can exist either on the OES server that is hosting the FTP 
service or on any other OES server in the same tree. 


A new EnableRemoteHomeDirectory option is now available to support this home directory. By 
default, this option is set to NO and the home directory set for the user in eDirectory is ignored. 


To enable eDirectory based home directory support, you must set both 
EnableRemoteHomeDirectory and remote_server to YES. FTP will then read the user’s home 
directory from eDirectory and mount it locally. 


Default Home Directory 


DefaultHomeDirectory indicates the path to the common home directory for all FTP users. On 
successful login to the Pure-FTPd, users are placed in the default home directory. The default home 
directory can be local or on a locally mounted NSS path or on a remote NCP Server. It can be either 
an NCP volume or an NSS volume and it can be configured by using the DefaultHomeDirectory 
and DefaultHomeDirectoryServer settings. If the home directory is on a remote server, use 
DefaultHomeDirectoryServer, and set it to the IP or DNS name of the remote NCP server. As with 
any NSS volume, the FTP client should have required rights over the NSS volume whether 
DefaultHomeDirectory is on a local or remote server or not. 


The DefaultHomeDirectoryServer option is now available to differentiate whether 
DefaultHomeDirectory is on a local or remote server. By default, this option is set to NO so 
DefaultHomeDirectory points to a local path. 


To set DefaultHomeDirectory to point to a remote NCP server with a DNS entry, you must specify 
the full path to the remote server, including the volume name. For example, DefaultHomeDirectory 
/ftphome. You must also set both DefaultHomeDirectory and remote_server to YES. 


NOTE: If DefaultHomeDirectory path is a POSIX path (non NCP volume) then it is supported only on 
local FTP server and not on remote server. In that case DefaultHomeDirectory path should be /home/ 
commonpath (any POSIX path) and DefaultHomeDirectoryServer should be Null or commented. 


Backslash in Input Paths 
Support for backslashes in input path is provided. Using FTP client on Windows, you can use 


backslash as separator in the path. allow_backslash_in_path option is now available to allow back 
slash in the path. By default the option is set to NO. 


Configuring Pure-FTPd on an OES 11 SP3 Server 


To configure the Pure-FTPd server on OES 11 SP3, edit the /etc/pure-ftpd/pure-ftpd.conf file. 


NOTE: It is very strongly recommended that you read through the entire /etc/pure-ftpd/pure- 
ftpd.conf file and be familiar with the available parameters and settings. 


For complete details, refer the pure-ftpd man page. 


The following table lists the recommended configuration parameters for Pure-FTPd. 
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Table 18-10 Configuration Parameters 


Parameter 


DefaultHomeDirectory 


Description 


Default home directory of the user. 


Default Value 


MaxClientsNumber Maximum numbers of clients that can 10 
simultaneously access the server. 
PassivePortRange Port range for passive connection replies. | 30000 
Range must be a minimum of 
2*MaxClientsNumber. 
30100 
MaxClientsPerlP Maximum number of sim clients with the 3 
same IP address 
NoRename Set to yes if you do not want the users to — yes|no 
rename the files 
remote server Enables remote server navigation for the yes 
FTP server 
ChrootEveryone parameter is required to 
be disabled for remote server to be 
enabled 
disallow list oes server Disables the site slist from listing the yes 
OES servers 
edir Idap port LDAP port of the eDirectory server 389:0 
AnonymousOnly Enables authenticated connection to pure- no 
ftp server 
NoAnonymous Disables anonymous connection yes 
ChrootEveryone Allows the user to browse outside the no 
home directory. 
This configuration is required for remote 
server navigation 
DefaultHomeDirectoryServer Allows to differentiate whether no 
DefaultHomeDirectory is on local or remote 
server. 
EnableRemoteHomebDirectory Supports eDirectory based home directory. no 


allow backslash in path 


Allows Windows user to you use backslash 
as separator in the path. 


Administering and Managing Pure-FTPd on an OES 11 SP3 


Server 


* "Starting Pure-FTPd" on page 267 
¢ “Initializing Multiple Instances" on page 267 


+ “Unloading Specific Instances" on page 268 


* "Pure-FTPd Remote Server Navigation" on page 268 
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Starting Pure-FTPd 


Start the Pure-FTPd server using the rcpure-ftpd command. 


Initializing Multiple Instances 


Pure-FTPd is loaded by using a configuration file. Multiple instances of Pure-FTPd can be loaded 
using different configuration files. 


By default, an instance of Pure-FTPd using /etc/pure-ftpd/pure-ftpd.conf file is loaded at the 
boot time by init.d script. For loading multiple instances, new configuration files need to be created. 


To load a new instance of Pure-FTPd: 


1 Create a new configuration file for each instance. 


For example: Copy /etc/pure-ftpd/pure-ftpd.conf to a different location. Rename the file 
to pure-ftpd1.conf and move it to /etc/opt/novell/pure-ftpdi.conf. 


Modify the following settings in the configuration file to avoid IP address or port conflicts between 
the instances: 


* PIDFile: Points to the full path of the PID file created by the pure-ftpd instance. PID file is 
used for unloading a particular instance of pure-ftpd. Hence, ensure that the PID File path is 
unique for every instance. 


For example: /var/run/pure-ftp1.pid, /var/run/pure-ftp2.pid. 


* Bind: By default, pure-ftpd binds to all the IP addresses on the system and listens to 
requests over port 21. Modify the settings of the bind such that all the pure-ftpd instances 
bind to different IP addresses or port combinations. 


also, modify the settings in the /etc/pure-ftpd/pure-ftpd.conf to avoid any IP address 
or port conflict from the second instance. 


For example: If a system has two interfaces with two IP addresses 10.1.1.1 and 10.1.1.2, 
then the bind setting for two pure-ftpd instances can be Bind 10.1.1.1,21 and Bind 
10.1.1.2,21. 


Load the new instance using /usr/sbin/pure-config.pl «Full path of the config file» 


For example: /usr/sbin/pure-config.pl /etc/opt/novell/pureftpd-confs/pure- 
ftpdi.conf loads an instance using the config file /etc/opt/novell/pureftpd-confs/pure- 
ftpdi.conf. 


Verifying the Load of a New Instance 


Use the following methods to verify that the new instance of pure-ftpd is successfully loaded: 


* 


The ps -eaf | grep pure-ftpd command lists all the instances of pure-ftpd loaded on the 
System. 


The PID file as specified using the PIDFile entry in the configuration file has been created. 


An FTP connection from the client to the server over the IP address being used by the pure-ftpd 
instance can be created. 
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Unloading Specific Instances 


A new script, pure-ftp-stop.p1, is added to unload an instance of pure-ftpd and all its child 
processes. The full path of the configuration file used to load the instance of pure-ftpd must be 
passed to the pure-ftp-stop.pl script. 


For example: /usr/sbin/pure-ftpd-stop.pl /etc/opt/novell/pureftpd-confs/pure- 
ftpd1.conf unloads the instance of pure-ftpd that was loaded using /etc/opt/novell/pureftpd- 
confs/pure-ftp1.conf. 


The PID file of the pure-ftpd instance is also used for unloading the pure-ftpd instance. 


Verifying the Unload of a New Instance 


* The PID file specified using the PIDFile entry in the configuration file has been deleted. 
* The number of instances displayed by ps -eaf | grep pure-ftpd is reduced. 


* An FTP connection request to the server errors out. 


Pure-FTPd Remote Server Navigation 


After logging in to the eDirectory tree, users can access files and directories on a remote Linux server 
whether or not the server is running Linux FTP Server software. The remote server can be another 
Linux OES server. 


This section describes how to configure and use the Remote Server Navigation feature. 
+ "Configuring Novell FTP” on page 269 
+ "Path Formats” on page 269 
¢ "SITE Command" on page 270 


* "Disable-ascii" on page 270 


Workstation running 
FTP client software 


9, user uses FTP to connect to 
the local Linux FTP Server. 


= 


Linux OES/NetWare server 
FTP running NetWare 4.1 or later 
without the FTP service 


: NCP 
= WV. wv 
Local Linux server e 


After logging in to running the histories 
tne ETF server the FTP service Linux OES/NetWare 
user accesses the 

remote server from BSNS 

the command line. 


Y 
(C 


The NCP protocol lets you transfer files and navigate to and from remote OES servers. 


To navigate to remote servers, use the following command: 
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cd //remote server name/volume/directory pathname 


File operations such as get, put, and delete can be used on the remote server, even without 
changing the directory path to that server. 


For example: 
get //remote_server_name/volume/directory path/filename 


The double slash (//) indicates that the user wants to access a remote server. After the double slash, 
the first entry must be the name of the remote server. 


Configuring Novell FTP 
Configuration file: /etc/pure-ftpd/pure-ftpd.conf 


The configuration parameters for remote server navigation are as follows: 


Entry Value Function 


remote_server yes Enables remote server navigation for the Pure-FTPd server. 


disallow_list_oes_server yes Disables SITE SLIST command for listing OES machines. 


edir Idap port 389 eDirectory LDAP port 


The following configuration parameters needs to be set for remote server navigation: 


Entry Value Reason Why 


ChrootEveryone no Option yes restricts users to login only to his home directory and cannot 


navigate to other directories including remote OES servers. 


AnonymousOnly no Option yes allows only anonymous logins. 
Path Formats 


Table 18-11 Linux FTP Server path formats 


Task 


Specifying the volume and directory path name 


Command Format 


//server_name/volume_name/directory_path 


Navigating to different volumes 


cd //server_name/volume_name 


Switching back to the home directory 


cd ~ 


Switching to home directory of any user 


cd ~user_name 


Switching to the root of the server 


/root 


NOTE: The Linux FTP Server does not support wildcards at the root of the server. 
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SITE Command 
The SITE command enables FTP clients to access features specific to the Linux FTP Server. 
The SITE command has the following syntax: 


SITE [SLIST] 


NOTE: The settings done through SITE commands are valid only for the current session. 


This command is unique to the Linux FTP service and are not standard FTP commands. 


Table 18-12 provides the SITE command along with the description: 


Table 18-12 Linux FTP SITE command 


Command Description 


SLIST Lists all the OES servers within the eDirectory tree. 
Site list command accepts an eDirectory context in 
LDAP format. By default, site slist command lists all 
the NCP Servers in the entire tree. When context is 
passed to the command it lists all the NCP Servers 
within the context. 


NOTE: All the FTP users needs to be LUM-enabled on the FTP server. 


Disable-ascii 


This command is to enable or disable ascii based file transfer. If this is set to YES, all the file transfers 
are done in a binary mode and the client command 'TYPE A' is ignored. 


18.5.6 Cluster Enabling Pure-FTPd in an OES 11 SP3 Environment 


You can configure Pure-FTPd server in active/active mode of Novell Cluster Services. 


* "Prerequisites" on page 270 


* "Active/Active Mode" on page 270 


Prerequisites 


* Novell Cluster Services is installed and setup. 


For step-by-step information on setting up Novell Cluster Services, refer to "Installing, 
Configuring, and Repairing Novell Cluster Services" in the “OES 11 SP3: Novell Cluster Services 
for Linux Administration Guide." 


ActivelActive Mode 


In active/active cluster mode, multiple instances of FTP server runs on a single node cluster. 


Pure-FTPd must be associated with a shared NSS volume and the DefaultHomeDirectory of users 
must be on the shared NSS volume. 
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18.5.8 


Configuring Active/Active Mode 
1 Install pure-ftpd on all the cluster nodes by selecting Novell FTP in the OES install. Upgrade 
pure-ftpd on all the nodes with the test RPM. 
2 Enable hard links on the shared NSS volumes. 


3 Create a unique configuration file for every FTP server to be associated with a shared NSS 
volume. Ensure that: 


¢ The Bind setting in the configuration file is same as the IP Address of the virtual server 
created for the NSS pool. 


* The PID file must be unique for each FTP instance running on the cluster. 


4 Copy the configuration file to the shared volume to /etc/opt/novell on the shared volume. 
Copying the configuration file to the shared volume, the file is automatically moved across the 
nodes with the volume and is always available to the FTP Server. 


For example: If the shared volume is FTPVol1, the path to copy the configuration file is /media/ 
nss/FTPVol1/etc/opt/novell/pure-ftpd. 


5 Configure all the FTP servers for DefaultHomeDirectory support. As NSS volume is shared, the 
DefaultHomeDirectory in the configuration file must be on the shared volume. 


For example: If FTPVo11 is the shared volume attached to an FTP Server, DefaultHomeDirectory 
in the configuration file is /media/nss/FTPVol1/FTPShare. 


6 Update the load and unload scripts of the cluster resource. 
* Load script: Add the following command to load the FTP server with the shared volume: 
/usr/sbin/pure-config.pl «Full Path to configuration file> 


For example: If the shared volume is FTPVol1 and the Pure-FTP configuration file is /etc/ 
opt/novell/pure-ftpd/ftpvoli.conf on FTPVol1, the pure-ftpd load command in the 
load script is exit on error /usr/sbin/pure-config.pl /media/nss/FTPVoli/etc/ 
opt/novell/pure-ftpd/ftpvol1.conf. 


* Unload script: Add the following command to unload the FTP server: 
/usr/sbin/pure-ftpd-stop.pl «Full Path to configuration file> 


Configuration file path must be same as the one passed to pure-config.pl in the load script. 


NOTE: In iManager, load and unload the cluster resources. Pure-ftpd instances must be loaded along 
with the shared NSS volumes. During the migration process, the pure-ftpd instances alongwith the 
associated shared volumes are moved across the cluster nodes. 


Migrating Pure-FTPd From NetWare to Linux 
You can also migrate an existing FTP server configuration from a NetWare server to OES 11 SP3. For 


migration instructions and a brief FAQ, see “Migrating FTP to OES 11 SP3” in the OES 11 SP3: 
Migration Tool Administration Guide. 


Troubleshooting Pure-FTPd from Novell 


Applying the OES 11 SP1 May 2014 Scheduled Maintenance Update Puts the 
novfsd daemon into an Unused State 


FTP and other services require the novfsd daemon. Applying the May 2014 Scheduled Maintenance 
Update puts novfsd into an unsed state. 
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18.6.1 


18.6.2 


To restore novfsd functionality, reboot the server. 


If you are using Novell ZENworks for managing maintenance updates, after you apply the update, 
execute the following command at a terminal prompt: 


/sbin/chkconfig --add novfsd 
Then reboot the server. 
After the server reboots, the daemon always runs irrespective of its previous state. 


This issue does not exist if you upgrade to OES 11 SP3. 


NCP Implementation and Maintenance 


If you have installed the NCP server for OES, eDirectory/Novell Client users can access files on the 
OES 11 SP3 server with no additional configuration. 


The implementation information in the following sections can help you get started with NCP on OES 
11 SP3 servers. 

¢ Section 18.6.1, “The Default NCP Volume,” on page 272 

¢ Section 18.6.2, “Creating NCP Home and Data Volume Pointers,” on page 272 

¢ Section 18.6.3, “Assigning File Trustee Rights,” on page 273 

¢ Section 18.6.4, “NCP Caveats,” on page 273 

¢ Section 18.6.5, “NCP Maintenance,” on page 273 


The Default NCP Volume 


The NCP Server for OES enables NCP access to NCP and NSS volumes defined on the OES server. 
When you install the NCP server, the installation creates one NCP volume named SYS: that maps to 
the /usr/novell/sys folder on the OES server. 


This NCP volume contains LOGIN and PUBLIC directories that, in turn, contain a small subset of the 
files traditionally found on a NetWare server in the directories with the same names. 


Creating NCP Home and Data Volume Pointers 


Initially, there are no NCP home directories or data volumes available to Novell Clients that attach to 
an OES server. 


For existing eDirectory users: If you want users to have NCP home or data directories on the 
server, you must decide where you want these directories to reside on the server's partitions and then 
create NCP volumes by using the NCPCON utility at the terminal prompt. 


For example, if you wanted to create an NCP volume (pointer) named HOME and mount it to the /usr 
folder on the Linux server, you would enter the following command at the command prompt: 


ncpcon create volume HOME /usr 


After issuing this command, when a Novell Client attaches to the OES server, the HOME: volume 
appears along with the SYS: volume created by the installation. 
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18.6.3 


18.6.4 


18.6.5 


18.7 


For new eDirectory users: If you create an NCP or NSS volume on the server prior to creating 
users, then you have the option of specifying that volume in iManager as the location of the home 
directory for the new users. 


IMPORTANT: NCP Volume pointers are always created with uppercase names (HOME:, SYS:, etc.) 
regardless of the case specified when the volume pointers are created. 


Assigning File Trustee Rights 


You can use the same methods for assigning file trustee rights on NCP volumes on OES servers that 
you use when assigning them on NetWare. For example, the Novell Client can be used by anyone 
with the Access Control right on the volume, or the root user can use the ncpcon utility > rights 
command at a command prompt to administer NCP trustee rights. See “Managing File System 
Trustees, Trustee Rights, and Attributes on NCP Volumes’in the OES 11 SP3: NCP Server for Linux 
Administration Guide. (The ncpcon rights command is related to but not the same as the rights 
utility used to manage trustees on NSS volumes.) 


NCP Caveats 


Cross-protocol file locking (CPL) is enabled by default on all new servers with NCP installed. For 
more information, see Section 3.9.6, "Cross-Protocol File Locking Might Need To Be Reconfigured if 
AFP or CIFS Is Functioning on an NCP Server,” on page 90. 


NCP Maintenance 


Because NCP provides Novell Client access to files on NetWare and OES servers, the service is 
covered by maintenance tasks that apply to file systems on these servers. For information on 
maintaining file services, see "storage, file systems, & databases (http://www.novell.com/ 
documentation/oes11/index.html#cat_stor-file-systems-databases)” in the online documentation. 


NetStorage Implementation and Maintenance 


The following sections are provided only as introductory information. For more information about 
using NetStorage, see the OES 11 SP3: NetStorage Administration Guide for Linux. 

* Section 18.7.1, "About Automatic Access and Storage Locations," on page 274 

* Section 18.7.2, "About SSH Storage Locations," on page 274 

* Section 18.7.3, "Assigning User and Group Access Rights," on page 274 

* Section 18.7.4, "Authenticating to Access Other Target Systems," on page 275 

* Section 18.7.5, "NetStorage Authentication Is Not Persistent by Default," on page 275 

* Section 18.7.6, "NetStorage Maintenance,” on page 275 
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18.7.1 


18.7.2 


18.7.3 


About Automatic Access and Storage Locations 


The inherent value of NetStorage lies in its ability to connect users with various servers and file 
systems. Some connections are created automatically depending on the OES platform where 
NetStorage is installed. Other connections must be created by the network administrator. 


NetStorage provides automatic access to: 


* NSS volumes on the same server that use the default mount point (/media/nss) 
* User Home directories that are specified in eDirectory on NCP or NSS volumes. 


* Drive mapping locations in login scripts of the user logging in (if the NCP Server for Linux is 
running on the server) 


Administrators can create storage locations to storage on any of the target servers illustrated in 
Figure 18-3 on page 249, including Dynamic Storage Technology (DST) volume pairs and Distributed 
File Services (DFS). For instructions on creating Storage Locations, see "Creating a Storage Location 
Object" in the OES 11 SP3: NetStorage Administration Guide for Linux. 


About SSH Storage Locations 


If you plan to use SSH storage locations, be aware that by default any users who are enabled for 
Samba cannot access data stored at the SSH locations. Additional steps are required to grant 
simultaneous access to Samba and SSH. For more information, see Section 11.5, “SSH Services on 
OES 11 SP3,” on page 151. 


Assigning User and Group Access Rights 


Because NetStorage provides access to other file storage systems, the users and groups that access 
the other systems through NetStorage must be granted file and directory access on those systems. 


For example: 
* eDirectory users must exist in the eDirectory tree where the OES server resides and have 
access rights to the files and directories on the OES server. 


* Windows users must exist on the Windows systems and have the required access rights to the 
files and directories on those systems. 


* |f your users will access Samba files on an OES server, they must be enabled for LUM and 
Samba access on the OES server. For more information, see "OES Services That Require LUM- 
Enabled Access" on page 216. 


IMPORTANT: The eDirectory usernames and passwords that are used to authenticate to the 
NetStorage (OES) server must match the usernames and passwords defined on the target systems. 
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18.7.5 


18.7.6 


18.8 


Authenticating to Access Other Target Systems 


The OES installation establishes a primary authentication domain (or context) for NetStorage. To 
access any storage location, users must exist somewhere in this primary domain. When it receives 
an authentication request, NetStorage searches for the username in the context you specified during 
OES installation and in all its subcontexts. 


Authentication to other file systems is often controlled by other authentication domains. For example, 
you might create a storage location on the OES server that points to a legacy NetWare server that 
resides in a different eDirectory tree. To access this storage location, users must authenticate to the 
other tree. 


This means that you must specify an additional context in the NetStorage configuration as a non- 
primary authentication domain. 


When defining a non-primary authentication domain, you must 


* Ensure that the username and password in the non-primary domain matches the username and 
password in the primary domain. 


* Specify the exact context where User objects reside. In contrast to the way it searches in the 
primary authentication domain, NetStorage doesn't search the subcontexts of non-primary 
authentication domains. 


For more information about managing NetStorage authentication domains, see "Authentication 
Domains" in the OES 11 SP3: NetStorage Administration Guide for Linux. 


NetStorage Authentication Is Not Persistent by Default 


By default, users must reauthenticate each time they access NetStorage in a browser. This is true 
even if another browser window is open and authenticated on the same workstation. 


The reason for this is that persistent cookies are not enabled by default. 


This setting can be changed. For more information, see "Persistent Cookies" in the OES 11 SP3: 
NetStorage Administration Guide for Linux. 


NetStorage Maintenance 


Your NetStorage installation can change as your network changes and evolves by providing access 
to new or consolidated storage locations. For information about the kinds of tasks you can perform to 
keep your NetStorage implementation current, see the OES 11 SP3: NetStorage Administration 
Guide for Linux. 


Novell AFP Implementation and Maintenance 


To use the Novell implementation of AFP file services on your OES 11 SP3 server, you must install 
the service by using the instructions in the OES 11 SP3: Installation Guide (for a new installation) or 
install it after the initial OES installation, as explained in "Installing AFP after OES 11 SP3 Installation" 
in theOES 11 SP3: Novell AFP for Linux Administration Guide. 

¢ Section 18.8.1, "Implementing Novell AFP File Services," on page 276 


* Section 18.8.2, “Maintaining Novell AFP File Services," on page 276 
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18.8.1 


18.8.2 


18.9 


18.9.1 


18.9.2 


Implementing Novell AFP File Services 


NOTE: If you are new to OES, we recommend the OES 11 SP2: Getting Started with OES 11 and 
Virtualized NetWare for an introduction to creating and working with eDirectory objects and OES file 
services, including Novell AFP. 


All eDirectory users can access the AFP file services on an OES 11 SP3 server as they would any 
Macintosh server. 


Maintaining Novell AFP File Services 


Information on maintaining your AFP installation is found in theOES 11 SP3: Novell AFP for Linux 
Administration Guide. 


Novell CIFS Implementation and Maintenance 


To use the Novell implementation of CIFS file services on your OES server, you must install the 
service by using the instructions in the OES 11 SP3: Installation Guide (for a new installation) or 
install it after the initial OES installation, as explained in "Installing CIFS after the OES 11 SP3 
Installation" in the OES 11 SP3: Novell CIFS for Linux Administration Guide. 

¢ Section 18.9.1, "Implementing Novell CIFS File Services,” on page 276 


¢ Section 18.9.2, "Maintaining Novell CIFS File Services," on page 276 


Implementing Novell CIFS File Services 


NOTE: If you are new to OES, we recommend the OES 11 SP2: Getting Started with OES 11 and 
Virtualized NetWare for an introduction to creating and working with eDirectory objects and OES file 
services, including Novell CIFS. 


All eDirectory users can access the CIFS file services on an OES 11 SP3 server as they would any 
Windows workgroup server. 


For instructions on implementing Novell CIFS, see "Planning and Implementing CIFS" in the OES 11 
SP3: Novell CIFS for Linux Administration Guide. 


Maintaining Novell CIFS File Services 


Information on maintaining your CIFS installation is found in the OES 11 SP3: Novell CIFS for Linux 
Administration Guide. 
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18.10.1 


18.10.2 


18.10.3 


18.10.4 


Novell iFolder 3.9.2 Implementation and 
Maintenance 


The following implementation pointers are provided only as introductory information. To begin using 
Novell iFolder, see the Novell iFolder 3.9.2 Administration Guide. 

* Section 18.10.1, "Managing Novell iFolder 3.9.2," on page 277 

* Section 18.10.2, "Configuring Novell iFolder 3.9.2 Servers," on page 277 

* Section 18.10.3, "Creating and Enabling Novell iFolder 3.9.2 Users," on page 277 

* Section 18.10.4, "Novell iFolder 3.9.2 Maintenance," on page 277 


Managing Novell iFolder 3.9.2 


You manage Novell iFolder through the iFolder Management Console, which you can access directly 
or through iManager. For more information, see "Installing and Configuring iFolder Services" in the 
Novell iFolder 3.9.2 Administration Guide. 


Configuring Novell iFolder 3.9.2 Servers 


Before you let users log in to the Novell iFolder 3.9.2 server, be sure you complete all the setup tasks 
in "Installing and Configuring iFolder Services" (including "Configuring the iFolder Web Admin Server" 
if applicable) in theNovell iFolder 3.9.2 Administration Guide. 


Creating and Enabling Novell iFolder 3.9.2 Users 


To provide user access to Novell iFolder 3.9.2: 


1. Provision eDirectory User objects for iFolder 3.9.2. 
. Enable the User Account Policies for iFolder access. 
. (Optional) Enable Account Quotas (space limits) for the user accounts. 


. Create iFolders for users. 


oa A 0 N 


. Distribute the iFolder Client to users. 


For more information, see “Managing iFolder Users” in the Novell iFolder 3.9.2 Administration Guide. 


Novell iFolder 3.9.2 Maintenance 


As the Novell iFolder service load increases, you might need to increase the server capacity or add 
additional servers. For help, see “Installing and Configuring iFolder Services” in the Novell iFolder 
3.9.2 Administration Guide. 
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18.11.1 


18.11.2 


Samba Implementation and Maintenance 


To use the Novell implementation of Samba file services on your OES server, you must install the 
service by using the instructions in the OES 11 SP3: Installation Guide (for a new installation) or 
install it after the initial OES installation, as explained in "Installing Novell Samba for OES" in the OES 
11 SP3: Novell Samba Administration Guide. 


¢ Section 18.11.1, "Implementing Samba File Services," on page 278 
¢ Section 18.11.2, "Maintaining Samba File Services," on page 278 


Implementing Samba File Services 


All users whose accounts have been enabled for Samba access can access the OES server as they 
would any Windows server. 


For instructions on implementing Samba, see "Installing Novell Samba for OES" in the OES 11 SP3: 
Novell Samba Administration Guide. 


Maintaining Samba File Services 


Information on maintaining your Samba installation is found in the OES 11 SP3: Novell Samba 
Administration Guide. 


278 File Services 


19.1 


19.1.1 


19.1.2 


Print Services 


Open Enterprise Server 11 SP3 includes Novell iPrint, a powerful and easy-to-implement printing 
solution that provides print-anywhere functionality to network users. 


This section contains the following information: 


¢ Section 19.1, "Overview of Print Services,” on page 279 
¢ Section 19.2, "Planning for Print Services," on page 281 
¢ Section 19.3, “Coexistence and Migration of Print Services," on page 281 
¢ Section 19.4, "Print Services Implementation Suggestions,” on page 282 


¢ Section 19.5, "Print Services Maintenance Suggestions,” on page 283 


Overview of Print Services 


Novell iPrint lets Linux, Macintosh, and Windows users 


* Quickly locate network printers through a Web browser. 
* Easily install and configure a located printer through a native printer installation method. 


¢ Print to installed printers from any location (including the Web) through an IP connection. 


The information in this section provides a high-level overview of Novell iPrint print services. It is 
designed to acquaint you with basic iPrint functionality so you understand the configuration steps you 
need to perform to provide iPrint print services, and understand how iPrint functions from the user's 
perspective. 

¢ Section 19.1.1, "Using This Overview,” on page 279 

« Section 19.1.2, "iPrint Components," on page 279 


¢ Section 19.1.3, "iPrint Functionality,” on page 280 


Using This Overview 


If you already know that you want to provide OES print services for your users and you understand 
how iPrint works, skip the overviews and continue with Section 19.2, "Planning for Print Services," on 
page 281. 


If you want to learn more about iPrint, continue with this overview section. 


iPrint Components 


A Novell iPrint installation consists of various components, most of which are represented by objects 
in your eDirectory tree: 


* Print Driver Store: This is a repository that stores the drivers on an OES server for your 
network printers. It is the first component you configure and is represented by an eDirectory 
object that you create. It corresponds to the Print Broker on NetWare. 
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¢ Printer Drivers: These are the platform-specific printer drivers and PostScript* Printer 
Description (PPD) files that are stored in the Driver Store and are installed on workstations when 
users select a target printer. Printer drivers and PPD files exist as file structures within the Driver 
Store and are not represented by objects in eDirectory. 


* Printer Objects: These are eDirectory objects you create that store information about the 
printers available through iPrint. The information stored in an object is used each time its 
associated printer is added to a workstation's list of available printers. 


* Print Manager: This is a daemon that runs on OES. It receives print jobs from users and 
forwards them to the target printer when it is ready. It is represented by and controlled through an 
eDirectory object that you can configure. 


* iPrint Client: This is a set of browser plug-ins. On Macintosh and Windows workstations it is 
automatically installed the first time it interacts with iPrint. On Linux workstations, it must be 
installed manually. The client is required on each platform to navigate through the iPrint Web 
pages, select a target printer, and install the print driver. 


19.13  iPrint Functionality 


Figure 19-1 describes how iPrint functions from a user workstation perspective. 


Figure 19-1 How iPrint Works 
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The following table explains the information illustrated in Figure 19-1. 
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19.2 


19.3 


Table 19-1 iPrint Functionality 


Access 


The iPrint Client must be installed 
on each workstation accessing 
iPrint services. 


A user needing to use a printer for 
the first time accesses the 
organization's print page on the 
Web. 


When the user selects the target 
printer, its platform-specific driver is 


Authentication 


You can require authentication for 
Windows users if needed. The 
option to require authentication is 
not available for Linux and 
Macintosh users. 


Although shown separately, 
eDirectory could be installed on the 
OES server. 


Printing Services 


Users with the iPrint Client installed 
and access to the OES server can 
install printer drivers and print to 
iPrint printers. 


By default, iPrint generates a printer 
list for the printers hosted on the 
server. 


A customized Web page lets users 
browse to the target printer by using 


location lists and maps that you 
have previously created for the site 
where the printer is located. 


automatically installed and 
configured. 


After printer installation, users can 
print to the printer from any 
application. 


Planning for Print Services 


We recommend that you record your decisions in planning notes for future reference. 
Consider the following information as you plan your iPrint installation: 


* iPrint has no additional RAM requirements. 


* Most iPrint installations (even in large enterprises) do not require additional disk space for 
associated print job spooling. 
However, if you anticipate very heavy print usage and want to plan for additional disk space in 


that regard, the iPrint spooler area is located in the /var partition or directory structure on OES 
servers. 


* To finish planning your iPrint installation, refer to the information in "Novell iPrint" in the OES 11 
SP3: Installation Guide 


Coexistence and Migration of Print Services 


If you select iPrint during the OES server installation, the iPrint software components are 
automatically installed on the server. Although the Common UNIX Printing System (CUPS) software 
is installed with the SLES 11 packages, CUPS is disabled to avoid port 631 conflicts. 


For information on upgrading from NetWare queue-based printing, Novell Distributed Print Services 
(NDPS), or previous versions of iPrint, see "Installing iPrint Software" in the NW 6.5 SP8: iPrint 
Administration Guide. 


For more information on configuring iPrint on OES, see "Installing and Setting Up iPrint on Your 
Server" in the OES 11 SP3: iPrint Linux Administration Guide. 


Migrating iPrint services from a NetWare server to an OES 11 SP3 server is supported by the OES 11 
SP3 Migration Tool. For more information, see "Migrating iPrint to OES 11 SP3" in the OES 11 SP3: 
Migration Tool Administration Guide. 
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19.4 


19.4.1 


Print Services Implementation Suggestions 


This section provides only summary implementation information. For complete iPrint documentation, 
see the OES 11 SP3: iPrint Linux Administration Guide. 


* 


* 


* 


Section 19.4.1, "Initial Setup," on page 282 
Section 19.4.2, "Implementation Caveats," on page 283 


Section 19.4.3, "Other Implementation Tasks," on page 283 


Initial Setup 


After your OES server is installed, you must do the following to complete your iPrint installation: 


1 


Create a Driver Store to store the print drivers. 


This eDirectory object stores the drivers for your network printers. Each Printer object you create 
for your network needs to reference a printer driver in Driver Store. When users subsequently 
install printers, the correct drivers for the platform running on their workstation are downloaded 
from the Driver Store and installed. 


You create the Driver Store through iManager. For specific instructions, see "Creating a Driver 
Store" in the OES 11 SP3: iPrint Linux Administration Guide 


Add a printer driver to the Driver Store for each printer/platform combination needed. 


For example, If you have Windows XP, Windows 7, and Novell Linux Desktop (NLD) 
workstations on your network and you have four different printer types, you need to add four 
printer drivers for each platform (a total of 12 printer drivers) to the Driver Store. 


You add printer drivers to the store through iManager. For specific instructions, see "Updating 
Printer Drivers" in the OES 11 SP3: iPrint Linux Administration Guide 


Create a Print Manager object. 


The Print Manager receives print jobs from users and forwards them to the target printer when it 
is ready. The Print Manager must be running for you to create Printer objects. 


The Print Manager is an object you create in eDirectory and is usually started and stopped 
through iManager. 


You create the Print Manager object through iManager. For specific instructions, see "Creating a 
Print Manager” in the OES 11 SP3: iPrint Linux Administration Guide 


Create Printer objects. 


You must create a Printer object for each printer you want users to access through iPrint. These 
objects store information about the printer that is used each time the printer is installed on a 
workstation. 


You create Printer objects through iManager. For specific instructions, see "Creating a Printer" in 
the OES 11 SP3: iPrint Linux Administration Guide 


(Optional) Create location-based, customized printing Web pages. 


By default, each iPrint installation includes the creation of a Default Printer List Web page that 
users can access to install iPrint printers. 


You have the option of enhancing the browsing experience by creating location-based printing 
Web pages that feature either lists of printers by location, maps of the buildings showing each 
printer, or a combination of both. 


If your organization is located in a building with multiple floors or even at multiple sites, providing 
location-based print Web pages can greatly simplify printing for your users. 
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Your iPrint installation contains the iPrint Map Designer to help you easily create location maps 
with clickable printer icons. For more information, see “Setting Up Location-Based Printing” in 
the OES 11 SP3: iPrint Linux Administration Guide 


6 Provide instructions to users for accessing iPrint printers. 


After performing the steps above, your network is ready for iPrint functionality. You need only tell 
users how to access your printing Web pages; Novell iPrint does the rest. 


19.4.2 Implementation Caveats 


There are a few implementation caveats relating to iPrint on Linux. See "iPrint" on page 119. 


19.4.3 Other Implementation Tasks 


In addition to the tasks described in Section 19.4.1, "Initial Setup," on page 282, there are additional 
tasks you might want or need to consider. To see a list of potential tasks, refer to the "Print Services 
(http:/Awww.novell.com/documentation/oes11/index.html#cat_iprint)” links in the OES online 
documentation. 


195 Print Services Maintenance Suggestions 


As you add printers to your network or move them to different locations, be sure to update your iPrint 
installation to reflect these changes. 


After your installation is completed and users are printing, you can monitor print performance by using 
the information located in "Using the Print Manager Health Monitor" in the OES 11 SP3: iPrint Linux 
Administration Guide 


For more information on iPrint and its functionality within OES, see the "Print Services (http:// 
www.novell.com/documentation/oes11/index.htmlZcat iprint)" links in the online documentation. 
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Search Engine (QuickFinder) 


Open Enterprise Server 11 SP3 includes the Novell QuickFinder Server. QuickFinder lets you add 
search functionality to any Web site or internal intranet. It can index and find matches within a wide 
variety of data types. It also supports rights-based searches so that users see only what they have 
rights to see, depending on the type of index created and the file system indexed. 


When indexing a file system, the QuickFinder engine indexes only what the wwwrun user and the www 
group have rights to see. 


For more information, see the topics in “Search Engine (http://www.novell.com/documentation/oes11/ 
index.html#cat_quick-finder)” in the OES 11 SP3 online documentation or refer to the OES 11 SP3: 
Novell QuickFinder Server 5.0 Administration Guide. 
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Web Services 


The Web and application services in Open Enterprise Server 11 SP3 support the creation and 
deployment of Web sites and Web applications that leverage the widespread availability of Internet- 
based protocols and tools. 


With the proper Web components in place, a server can host dynamic Web sites where the content 
changes according to selections made by the user. You can also run any of the hundreds of free Web 
applications that can be downloaded from the Internet. Web and application services make it easy to 
build your own dynamic Web content and create customized Web database applications. 


See the OES 11 SP3: Web Services and Applications Guide and the topics in “Web Services (http:// 
www.novell.com/documentation/oes11/oes11_toc/data/index-category.html#cat_web-services)” in the 
OES online documentation. 


Apache 
OES 11 includes Apache 2.2, the most popular Web server on the Internet. 


For additional information, see the Apache.org Web site (http://httpd.apache.org/docs/2.2/). 


Tomcat 


OES 11 includes Tomcat 6.0, which is used to run basic Java servlet and JavaServer Pages (JSP) 
applications. 


For information, see the Apache Tomcat 6.0 Web site (http://tomcat.apache.org/tomcat-6.0-doc/ 
index.html). 
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Security 


This section contains the following topics: 


¢ Section 22.1, "Overview of OES Security Services,” on page 289 

¢ Section 22.2, “Planning for Security,” on page 291 

¢ Section 22.3, “Configuring and Administering Security,” on page 295 

¢ Section 22.4, “Resolving Nessus Security Scan Issues,” on page 295 
¢ Section 22.5, “Links to Product Security Considerations,” on page 301 
¢ Section 22.6, “Links to Anti-Virus Partners," on page 302 


22.1 Overview of OES Security Services 


This section provides specific overview information for the following key OES components: 


¢ Section 22.1.1, “Application Security (AppArmor)," on page 289 
¢ Section 22.1.2, “NSS Auditing Engine,” on page 289 

¢ Section 22.1.3, “Encryption (NICI),” on page 290 

¢ Section 22.1.4, "General Security Issues,” on page 291 


22.1.1 Application Security (AppArmor) 


Novell AppArmor provides easy-to-use application security for both servers and workstations. You 
specify which files a program can read, write, and execute. 


AppArmor enforces good application behavior without relying on attack signatures and prevents 
attacks even if they are exploiting previously unknown vulnerabilities. 


For more information, see the Novell AppArmor Documentation Web site (http://www.novell.com/ 
documentation/apparmor/index.html). 


22.1.2 NSS Auditing Engine 


OES includes the NSS Auditing Engine, which is installed by default with NSS. 


The auditing engine provides an interface for auditing client applications, such as Novell Sentinel and 
various third-party products to access. Information about the auditing engine SDK is available on the 
Novell Web site (http://developer.novell.com/wiki/index.php/NSS Auditing SDK). 


Using the SDK, client applications can be developed to audit various NSS file system operations on 
files and directories, including: 

* delete 

* create 

* open 


* close 
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* rename 

¢ link 

* metadata modified 

* trustee add/delete 

* inherited rights modified 


Novell Sentinel Log Manager 90-Day Free Trial 


Novell Sentinel Log Manager runs on a 64-bit SLES 11 host. You can download the suite from the 
Novell Download Web site (http://download.novell.com/Download?buildid=yDnJELwauAo-~). For 
installation and usage instructions, see the Novell Log Management Readme and Release Notes 
included as a link on the download page. 


Third-Party Partner Applications 


The following Novell partners are currently developing applications for use with the NSS Auditing 
Engine: 

* Blue Lance 

* NetVision 


* Symantec 


Encryption (NICI) 


The Novell International Cryptography Infrastructure (NICI) is the cryptography service for NetIQ 
eDirectory, NetIQ Modular Authentication Services (NMAS), NetIQ Certificate Server, NetIQ 
SecretStore, and TLS/SSL. 


Key Features 


NICI includes the following key features: 


* Industry standards: It implements the recognized industry standards. 
* Certified: It is FIPS-140-1 certified on selected platforms. 
¢ Cross-platform support: It is available on both OES platforms. 


¢ Governmental export and import compliance: It has cryptographic interfaces that are 
exportable from the U.S. and importable into other countries with government-imposed 
constraints on the export, import, and use of products that contain embedded cryptographic 
mechanisms. 


* Secure and tamper-resistant architecture: The architecture uses digital signatures to 
implement a self-verification process so that consuming services are assured that NICI has not 
been modified or tampered with when it is initialized. 
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Never Delete the NICI Configuration Files 


In the early days of NICI development, some NICI problems could be solved only by deleting the NICI 
configuration files and starting over. The issues that required this were solved years ago, but as is 
often the case, the practice persists, and some administrators attempt to use this as a remedy when 
they encounter a NICI problem. 


No one should ever delete the NICI configuration files unless they are directly told to do so bya 
member of the NICI development team. And in that rare case, they should be sure to back up the files 
before doing so. Failure to do this makes restoring NICI impossible. 


More Information 
For more information on how to use NICI, see the Novell International Cryptographic Infrastructure 
(NICI) 2.7.6 Administration Guide. 


General Security Issues 


In addition to the information explained and referenced in this section, the OES online documentation 
contains links to “security issues” (http://www.novell.com/documentation/oes11/ 
index.html#cat_security). 


Planning for Security 


This section discusses the following topics. For additional planning topics, see the Security section in 
the OES online documentation (http://www.novell.com/documentation/oes11/ 
index.html#cat_security). 


* Section 22.2.1, “Comparing the Linux and the Novell Trustee File Security Models," on page 291 
* Section 22.2.2, "User Restrictions: Some OES Limitations," on page 293 
* Section 22.2.3, "Ports Used by OES 11 SP3,” on page 293 


Comparing the Linux and the Novell Trustee File Security 
Models 


The Novell Trustee and Linux (POSIX) security models are quite different, as presented in Table 22-1. 
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Table 22-1 POSIX vs. NSS/NCP File Security Models 


Feature 


Administrative principles 


POSIX / Linux 


Permissions are individually controlled and 
managed for each file and subdirectory. 


Because of the nature of the POSIX security 
model, users usually have read rights to most 


of the system. 


To make directories and files private, 
permissions must be removed. 


For more information on making existing 
directories private, see Section 18.4.2, 
“Providing a Private Work Directory,” on 


page 262. 


Novell Trustee Model on OES 


Trustee assignments are made to 
directories and files and flow down 
from directories to everything below 
unless specifically reassigned. 


Default accessibility 


Users have permissions to see most of the file 


system. 


The contents of a few directories, such as the 
/root home directory, can only be viewed by 


the root user. 


Some system configuration files can be read 
by everyone, but the most critical files, such as 
/etc/fstab, can only be read and modified 


by root. 


Users can see only the directories 
and files for which they are trustees 
(or members of a group that is a 
trustee). 


Home directories—an 
example of default 
accessibility 


By default, all users can see the names of 
directories and files in home directories. 


During LUM installation, you can specify that 
newly created home directories will be private. 


For more information on making existing home 
directories private, see Section 18.4.2, 
“Providing a Private Work Directory,” on 


page 262. 


By default, only the system 
administrator and the home 
directory owner can see a home 
directory. Files in the directory are 
secure. 


If users want to share files with 
others, they can grant trustee 
assignments to the individual files, 
or they can create a shared 
subdirectory and assign trustees to 
it. 


Inheritance from parents 


Nothing is inherited. 


Granting permission to a directory or file 


affects only the directory or file. 


Rights are inherited in all child 
subdirectories and files unless 
specifically reassigned. 


A trustee assignment can 
potentially give a user rights toa 
large number of subdirectories and 
files. 


Privacy 


Security 


Because users have permissions to see most 
of the file system for reasons stated above, 
most directories and files are only private 


when you make them private. 


Directories and files are private by 
default. 
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Feature POSIX / Linux Novell Trustee Model on OES 


Subdirectory and file Permissions granted to a file or directory apply When users are given a trustee 

visibility to only the file or directory. Users can't see assignment to a file or directory, 
parent directories along the path up to the root they can automatically see each 
unless permissions are granted (by setting the parent directory along the path up 
UID, GID, and mode bits) for each parent. to the root. However, users can’t 


- see the contents of those 
After permissions are granted, users can See directories just the path to where 


the entire contents (subdirectories and files) of they have rights. 
each directory in the path. 


When an NCP volume is created on a Linux POSIX or NSS volume, some of the behavior described 
above is modified. For more information, see the OES 11 SP3: NCP Server for Linux Administration 
Guide, particularly the “NCP on Linux Security” section. 


User Restrictions: Some OES Limitations 


Seasoned NetWare administrators are accustomed to being able to set the following access 
restrictions on users: 


* Account balance restrictions 


* Address restrictions 


* 


Intruder lockout 


* 


Login restrictions 
* Password restrictions 


* Time restrictions 


Many of the management interfaces that set these restrictions (iManager, for example), might seem 
to imply that these restrictions apply to users who are accessing an OES server through any protocol. 


This is generally true, with two important exceptions: 


* Maximum number of concurrent connections in login restrictions 


* Address restrictions 


These two specific restrictions are enforced only for users who are accessing the server through 
NCP. Connections through other access protocols (for example, HTTP or CIFS) have no concurrent 
connection or address restrictions imposed. 


For this reason, you probably want to consider not enabling services such as SSH and FTP for LUM 
when setting up Linux User Management. For more information on SSH and LUM, see Section 11.5, 
"SSH Services on OES 11 SP3,” on page 151. 


For more information on Linux User Management, see "Linux User Management: Access to Linux for 
eDirectory Users" on page 213. For more information on the services that can be PAM-enabled, see 
Table 15-2 on page 216. 


Ports Used by OES 11 SP3 


The ports used by OES 11 SP3 services are listed in Table 22-3. 
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Table 22-2 Open Enterprise Server Services and Ports 


Service 


Domain Services for Windows 


NetIQ eDirectory 


iManager 


iPrint 


Novell AFP 
Novell Archive and Version Services 


Novell CIFS 


Novell DHCP 


Novell DNS 


Novell FTP 
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1636 (LDAPS) 

1389 (LDAP) 

88 (Kerberos TCP and UDP) 

135 (RPC Endpoint Manager TCP and UDP) 
1024 - 65535 (RPC Dynamic Assignments TCP) 
3268 (Global Catalog LDAP TCP) 

3269 (Global Catalog LDAP over SSL TCP) 

123 (Network Time Protocol UDP) 

137 (NetBIOS Name Service TCP and UDP) 
138 (NetBIOS Datagram Service TCP and UDP) 
139 (NetBIOS Session Service TCP and UDP) 
8025 (Domain Service Daemon TCP) 

445 (Microsoft-DS traffic TCP and UDP) 


389 (LDAP) 
636 (Secure LDAP) 


IMPORTANT: The scripts that manage the common proxy 
user require port 636 for secure LDAP communications. 


8028 (HTTP for iMonitor) 
8030 (secure HTTP for iMonitor) 
524 (NCP) 


80 (HTTP) 
443 (secure HTTP) 


80 (HTTP) 
443 (secure HTTP) 
631 (IPP) 


548 
26029 
636 (Secure LDAP) 


IMPORTANT: The scripts that manage the common proxy 
user require port 636 for secure LDAP communications. 


67 


953 (secure HTTP) 
53 (TCP) 
53 (UDP) 


21 


Service Default Ports 
Novell Information Portal + 80 (HTTP) 

* 443 (secure HTTP) 
Novell NetWare Core Protocol (NCP) * 524 


Novell Remote Manager * 8008 (HTTP) 

* 8009 (secure HTTP) 
SFCB * 5988 (HTTP) 

* 5989 (secure HTTP) 
QuickFinder * 80(HTTP) 

* 443 (secure HTTP) 
Samba * 139 (Netbios) 

* 445 (Microsoft-ds) 


Secure Shell + 22 
Storage Management Services (Backup) * 40193 (smdr daemon) 
Time Synchronization * 123 (Network Time Protocol UDP) 


223 Configuring and Administering Security 


For a list of configuration and administration topics, see the Security section in the OES online 
documentation (http://www.novell.com/documentation/oes11/index.htmlzicat security). 


224 Resolving Nessus Security Scan Issues 


¢ Section 22.4.1, "Port dns (53/tcp): DNS Server Zone Transfer Information Disclosure (AXFR),” 
on page 296 


* Section 22.4.2, "Port dns (b3/udp):DNS Server Recursive Query Cache Poisoning Weakness," 
on page 296 


¢ Section 22.4.3, “Port dns (53/udp): DNS Server Cache Snooping Remote Information 
Disclosure,” on page 297 


* Section 22.4.4, "Port dns (53/udp): Multiple Vendor DNS Query ID Field Prediction Cache 
Poisoning,” on page 297 


¢ Section 22.4.5, “Port ftp (21/tcp): Anonymous FTP Enabled,” on page 297 


* Section 22.4.6, “Port ftp (21/tcp):Multiple Vendor Embedded FTP Service Any Username 
Authentication Bypass,” on page 298 


* Section 22.4.7, “Port ldap: LDAP NULL BASE Search Access,” on page 298 


* Section 22.4.8, “Port smb (139/tcp) : Microsoft Windows SMB LsaQueryInformationPolicy 
Function SID Enumeration Without Credentials," on page 298 


* Section 22.4.9, "Port ssh (22/tcp): SSH Protocol Version 1 Session Key Retrieval," on page 299 


* Section 22.4.10, "Port (524/tcp): Novell NetWare ncp Service NDS Object Enumeration,” on 
page 299 
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* Section 22.4.11, "Port www (443/tcp): SSL Certificate signed with an unknown Certificate 
Authority," on page 299 


¢ Section 22.4.12, "Port www (443/tcp): SSL Version 2 (v2) Protocol Detection,” on page 300 
* Section 22.4.13, "Port www (tcp): SSL Weak Cipher Suites Supported," on page 300 
* Section 22.4.14, "Port www (tcp): SSL Medium Strength Cipher Suites Supported," on page 300 


Port dns (53/tcp): DNS Server Zone Transfer Information 
Disclosure (AXFR) 


Nessus Plug in: 10595 
Port: DNS service on port 53 
Synopsis: The remote name server permits zone transfers. 


Description: A zone transfer lets a remote attacker instantly populate a list of potential targets. In 
addition, companies often use a naming convention that can give hints as to a server's primary 
application, for example, proxy.example.com, payroll.example.com, b2b.example.com, etc. 


Information like this is of great use to an attacker, who may use it to gain information about the 
topology of the network and spot new targets. 


Resolution: Limit DNS zone transfers to only the servers that need the information. The Security 
Chapter for DNS includes the required information to restrict zones, allow-update and queries and the 
security factors. See "Security Considerations for DNS" in the OES 11 SP3: Novell DNS/DHCP 
Services for Linux Administration Guide. 


Port dns (53/udp):DNS Server Recursive Query Cache 
Poisoning Weakness 


Nessus Plug in: 10539 
Port: DNS on port 53 


Synopsis: The remote name server allows recursive queries to be performed by the host running 
nessusd. 


Description: It is possible to query the remote name server for third party names. 


If this is your internal name server, then the attack vector may be limited to employees or guest 
access if allowed. If you are probing a remote name server, then it allows anyone to use it to resolve 
third party names, such as www.novell.com.This allows attackers to perform cache poisoning attacks 
against this name server. 


If the host allows these recursive queries via UDP, then the host can be used to "bounce" denial-of- 
service attacks against another network or system. 


Resolution: Restrict recursive queries to the hosts that should use this name server, such as those 
of the LAN connected to it. 


The Security Chapter for Novell DNS includes the required information to restrict zones, allow-update 
and queries and the security factors. See "Security Considerations for DNS” in the OES 11 SP3: 
Novell DNS/DHCP Services for Linux Administration Guide. 
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22.4.5 


Port dns (53/udp): DNS Server Cache Snooping Remote 
Information Disclosure 


Nessus Plug in: 12217 
Port: DNS on port 53 
Synopsis: The remote DNS server is vulnerable to cache snooping attacks. 


Description: The remote DNS server responds to queries for third-party domains that do not have 
the recursion bit set. This may allow a remote attacker to determine which domains have recently 
been resolved via this name server, and therefore which hosts have been recently visited. 


For instance, if an attacker was interested in whether your company utilizes the online services of a 
particular financial institution, they would be able to use this attack to build a statistical model 
regarding company usage of that financial institution. Of course, the attack can also be used to find 
B2B partners, web-surfing patterns, external mail servers, and more. 


NOTE: If this is an internal DNS server not accessible to outside networks, attacks would be limited to 
the internal network. This may include employees, consultants, and potential users on a guest 
network or WiFi connection if supported. 


Resolution: The Security Chapter for Novell DNS includes the required information to restrict zones, 
allow-update and queries and the security factors. See “Security Considerations for DNS” in the OES 
11 SP3: Novell DNS/DHCP Services for Linux Administration Guide. 


Port dns (53/udp): Multiple Vendor DNS Query ID Field 
Prediction Cache Poisoning 


Nessus Plug in: 33447 
Port: DNS on Port 53 


Synopsis: The remote name resolver (or the server it uses upstream) may be vulnerable to DNS 
cache poisoning. 


Description: The remote DNS resolver does not use random ports when making queries to third 
party DNS servers. This problem might be exploited by an attacker to poison the remote DNS server 
more easily, and therefore divert legitimate traffic to arbitrary sites. 


Resolution: Nessus might report this if the OES server is configured to use a non-OES DNS server 
that has the above vulnerability. Configure DNS with Novell-DNS instead of the third-party server that 
is vulnerable. 


Port ftp (21/tcp): Anonymous FTP Enabled 


Nessus Plug in: 10079 
Port: FTP service on port 21 
Synopsis: Anonymous logins are allowed on the remote FTP server. 


Description: This FTP service allows anonymous logins. Any remote user may connect and 
authenticate without providing a password or unique credentials. This allows a user to access any 
files made available on the FTP server. 
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Resolution: Disable anonymous FTP if it is not required. Routinely check the FTP server to ensure 
sensitive content is not available. 


Port ftp (21/tcp):Multiple Vendor Embedded FTP Service 
Any Username Authentication Bypass 


Nessus Plug in: 10990 
Port: FTP service on port 21 
Synopsis: A random username and password can be used to authenticate to the remote FTP server. 


Description: The FTP server running on the remote host can be accessed using a random 
username and password. Nessus has enabled some countermeasures to prevent other plug ins from 
reporting vulnerabilities incorrectly because of this. 


Resolution: Contact the FTP server's documentation so that the service handles authentication 
requests properly. 


Port ldap: LDAP NULL BASE Search Access 


Nessus Plugin: 10722 
Port: LDAP on 389, DSfW LDAPS on 1636, msft-gc on 3268 
Synopsis: The remote LDAP server may disclose sensitive information. 


Description: The remote LDAP server supports search requests with a null, or empty, base object. 
This allows information to be retrieved without any prior knowledge of the directory structure. Coupled 
with a NULL BIND, an anonymous user may be able to query your LDAP server using a tool such as 
LdapMiner. 


NOTE: There are valid reasons to allow queries with a null base. For example, it is required in version 
3 of the LDAP protocol to provide access to the root DSA-Specific Entry (DSE), with information 
about the supported naming context, authentication types, and the like. It also means that legitimate 
users can find information in the directory without any a prior knowledge of its structure. 


For these reasons, this finding may be a false-positive. 


Resolution: If the remote LDAP server supports a version of the LDAP protocol before v3, consider 
whether to disable NULL BASE queries on your LDAP server LDAP NULL BASE search access 
might be required by many OES services. 


For more details see, TID 7000737 (http://www.novell.com/support/php/ 
search.do?cmd-displayKC&docType-kc&externalld- 7000737). 


Port smb (139/tcp) : Microsoft Windows SMB 
LsaQuerylnformationPolicy Function SID Enumeration 
Without Credentials 

Neesus Plug in : 56210 


Synopsis: It is possible to obtain the host SID for the remote host, without credentials. 
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22.4.11 


Description: By emulating the call to LsaQueryInformationPolicy(), it is possible to obtain the host 
SID (Security Identifier), without credentials. The host SID can then be used to get the list of local 
users. 


Resolution: Novell-Cifs sends a dummy response with an SID value of 0. Therefore, this is not a 
security vulnerability. 


Port ssh (22/tcp): SSH Protocol Version 1 Session Key 
Retrieval 

Nessus Plug in: 10882 

Port: SSH service on port 22 

Synopsis: The remote service offers an insecure cryptographic protocol. 


Description: The remote SSH daemon supports connections made using the version 1.33 and/or 1.5 
of the SSH protocol. These protocols are not completely cryptographically safe, so they should not be 
used. 


Resolution: Disable compatibility with SSH 1.x. 


Port (b24/tcp): Novell NetWare ncp Service NDS Object 
Enumeration 


Nessus Plug in: 10988 
Port: NCP server on port 524 
Synopsis: Remote directory server leaks information. 


Description: This host is a Novell NetWare (eDirectory) server, and has browse rights on the 
PUBLIC object. It is possible to enumerate all NDS objects, including users, with crafted queries. An 
attacker can use this to gain information about this host. 


Resolution: This feature is required by many OES services for their normal operation. 


If this is an external system, block Internet access to port 524. 


Port www (443/tcp): SSL Certificate signed with an unknown 
Certificate Authority 


Nessus Plug in: 51192 


Port: Apache (443), LDAPS (636), DSfW LDAPS (1636), msft-gc-ssl (3269), wbem (5989), NRM 
(8009), iMonitor (8030) 


Synopsis: The SSL certificate for this service is signed by an unknown certificate authority. 


Description: The X.509 certificate of the remote host is not signed by a known public certificate 
authority. If the remote host is a public host in production, this nullifies the use of SSL because 
anyone could establish a man-in-the-middle attack against the remote host. 


Resolution: Purchase or generate a proper certificate for this service. For more information about 
generating certificates using the NetIQ Certificate Server, see “Using eDirectory Certificates with 
External Applications" in the NetIQ Certificate Server Administration Guide. 
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Port www (443/tcp): SSL Version 2 (v2) Protocol Detection 


Nessus Plug in: 20007 
Port: Apache port www (443) 
Synopsis: The remote service encrypts traffic using a protocol with known weaknesses. 


Description: The remote service accepts connections encrypted using SSL 2.0, which reportedly 
suffers from several cryptographic flaws and has been deprecated for several years. An attacker may 
be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications 
between the affected service and clients. 


Resolution: Consult the Apache documentation to disable SSL 2.0 and use SSL3.0 or TLS 1.0 
instead. 


Port www (tcp): SSL Weak Cipher Suites Supported 


Nessus Plug in: 26928 

Port: Apache (443), NRM (8009), LDAPS (636), DSfW LDAPS (1636), msft-gc-ssl (3269) 
Synopsis: The remote service supports the use of weak SSL ciphers. 

Description: The remote host supports the use of SSL ciphers that offer either weak encryption or no 


encryption at all. 


NOTE: This is considerably easier to exploit if the attacker is on the same physical network. 


Resolution: 


1 Change the weak SSLCipherSuite setting for Apache in the /etc/apache2/vhosts.d/vhost- 
ssl.conf file from: 


SSLCipherSuite 
ALL: ! ADH: ! EXPORT56: RC4+RSA: *HIGH : MEDIUM: *LOW: +SSLv2:+EXP:+eNULL 


to 


SSLCipherSuite 
ALL: ! ADH: ! EXPORT56: RC4+RSA:+HIGH: ! MEDIUM: ! LOW: *SSLV2: ! EXP: ! eNULL 


2 Restart Apache by entering the following at the terminal prompt: 


rcapache2 restart 


Port www (tcp): SSL Medium Strength Cipher Suites 
Supported 


Nessus Plug in: 42873 
Port: Apache (443), NRM (8009), LDAPS (636), DSfW LDAPS (1636), msft-gc-ssl (3269) 
Synopsis: The remote service supports the use of medium strength SSL ciphers. 


Description: The remote host supports the use of SSL ciphers that offer medium-strength encryption 
(key lengths at least 56 bits and less than 112 bits). 
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NOTE: This is considerably easier to exploit if the attacker is on the same physical network. 


Resolution: Open the /etc/opt/novell/httpstkd.conf file in a text editor, then do the following: 


1 Find the following section. 


Cipher strength determines the bit strength for the SSL key 
that is required to access Novell Remote Manager(NRM). 
The default will be all 


If you modify the setting it will be necessary to restart NRM. 


Options: all, low, medium, high 


low - allows less than 56-bit encryption 
medium - allows 56-bit up to 112-bit encryption 
high - allows 112-bit or greater encryption 


Example: 


F 
$ 
, 
T 
, 
T 
, 
, 
, 
F all - allows any negotiated encryption level. 
1 
$ 
1 
K 
T 
; cipher high 

, 

T 


| A Ae eae ee et A UE EE EE EFE EE EE gr rg rrr rrr rrr org gg 


cipher all 


2 Change cipher allto cipher high. 
3 Save the file. 
4 Restart httpstkd by entering rcnovell-httpstkd restart at a terminal prompt. 


Links to Product Security Considerations 


The following product documentation contains additional security information: 
Table 22-3 Security Consideration Links 


Product/Technology Security Considerations Section Link 


AppArmor Novell AppArmor Administration Guide (http:// 
www.novell.com/documentation/apparmor/ 
apparmor201 sp10 admin/data/ 
book apparmor admin.html) 


Archive and Version Services "Security Considerations for Archive and Version 
Services" in the OES 11 SP3: Novell Archive and 
Version Services Administration Guide 


Domain Services for Windows OES 11 SP3: Novell Domain Services for Windows 
Security Guide 
Dynamic Storage Technology "Security Considerations" in the OES 11 SP3: Dynamic 


Storage Technology Administration Guide 


eDirectory "Security Considerations" in the Net/Q eDirectory 8.8 
SP8 Administration Guide 
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Product/Technology 


File Systems 


Security Considerations Section Link 


OES 11 SP3: File Systems Management Guide 
(information throughout the guide) 


Identity Manager 4.0.2 


“Security Best Practices” in the Identity Manager 4.0.2 
Documentation (http://www.netiq.com/documentation/ 
idm402/index.html) 


iPrint for OES 


"Setting Up a Secure Printing Environment" in the OES 
11 SP3: iPrint Linux Administration Guide 


Linux User Management 


"Security Considerations" in the OES 11 SP3: Novell 
Linux User Management Administration Guide 


Novell AFP "Security Guidelines for AFP" in theOES 11 SP3: 
Novell AFP for Linux Administration Guide 
Novell CIFS "Security Guidelines for CIFS” in the OES 11 SP3: 


Novell CIFS for Linux Administration Guide. 


Novell Client for Windows 7 


"Security Considerations" in the Novell Client 2 SP1 for 
Windows Administration Guide 


Novell Client for Windows XP/2003 


"Managing File Security and Passwords" in the Novell 
Client 4.91 SP5 for Windows XP/2003 Installation and 
Administration Guide 


Novell Client for Linux 


"Managing File Security" in the Novell Client 2.0 SP3 
for Linux Administration Guide 


Novell Remote Manager for OES 


"Security Considerations" in the OES 11 SP3: Novell 
Remote Manager Administration Guide 


Novell Storage Services 


"Securing Access to NSS Volumes, Directories, and 
Files" and "Security Considerations" in the OES 11 
SP3: NSS File System Administration Guide for Linux 


Novell iFolder 3.9.2 


Novell iFolder 3.9.2 Security Administration Guide 


OES 11 SP3 Installation 


"Security Considerations" in the OES 11 SP3: 
Installation Guide 


OES 11 SP3 Migration Tools 


"Security Considerations for Data Migration" in the 
OES 11 SP3: Migration Tool Administration Guide 


QuickFinder 


"Security Considerations for QuickFinder Server” in 
the QuickFinder Server 5.0 Administration Guide 


SuSEfirewall2 


“Masquerading and Firewalls" (http://www.suse.com/ 
documentation/sles11/book security/data/ 

cha security firewall.html) in the SLES 11 SP4 
Security Guide (http://www.suse.com/documentation/ 
sles11/book security/data/book security.html) 


Links to Anti-Virus Partners 


See the Partners and Communities page on Novell.com (http://www.novell.com/products/ 
openenterpriseserver/partners communities.html). 
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23.1.1 


Certificate Management 


By default, all SUSE Linux Enterprise Server (SLES) servers include self-generated server 
certificates to secure data communications with the servers. These certificates are self-signed and do 
not comply with the X.509 RFCs. They are provided only as a stop-gap and should be replaced as 
soon as possible by a certificate from a trusted Certificate Authority. 


Unfortunately, many organizations ignore the vulnerabilities to mischievous or even malicious attacks 
that are created by not replacing these temporary certificates. Some of the reasons for this are 


* Administrators lack the knowledge required. 
* Certificate maintenance can require a significant investment of time and effort. 


* Obtaining third-party certificates for each server is expensive. 


The problems are compounded by the fact that X.509 certificates are designed to expire regularly and 
should be replaced shortly before they do. 


Open Enterprise Server 11 includes solutions that address each of these issues at no additional 
expense. 


This section discusses the certificate management enhancements available in OES and how simple 
and straightforward it is to utilize them. 


¢ Section 23.1, “Overview,” on page 303 
¢ Section 23.2, "Setting Up Certificate Management,” on page 305 
¢ Section 23.3, “If You Don't Want to Use eDirectory Certificates," on page 308 


Overview 


The following sections outline how OES lets you automate certificate management for OES and all 
HTTPS services: 


¢ Section 23.1.1, “SLES Default Certificates," on page 303 
¢ Section 23.1.2, “OES Certificate Management,” on page 304 
¢ Section 23.1.3, "Multiple Trees Sharing a Common Root,” on page 305 


SLES Default Certificates 


By default, HTTPS services on SLES 11 SP4 are configured to use two files that are located in /etc/ 
ssl/servercerts and are protected so that only root and some specific groups can read them: 


* serverkey.pem: This contains the server's raw private key. 


* servercert.pem: This contains the server's certificates. 


OES services, such as Apache, OpenWBEM, and Novell Remote Manager, are also configured to 
use these certificates. 
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23.1.2 OES Certificate Management 


OES enhances certificate management as follows: 


¢ “Installation of eDirectory Certificates” on page 304 
+ "What Is Installed Where" on page 304 

* "NetlQ Certificate Server" on page 305 

¢ "Server Self-Provisioning" on page 305 

+ “PKI Health Check" on page 305 


Installation of eDirectory Certificates 
As you install eDirectory and OES, by default all HTTPS services are configured to use eDirectory 
certificates. This means that eDirectory is established as the Certificate Authority for the tree you are 


installing into, and it will generate keys and certificates for the server and replace the installed SLES 
certificates with the eDirectory certificates. 


What Is Installed Where 


Key and certificate files are installed in the following locations: 


Table 23-1 File Locations 


Location Details 
/etc/ssl/certs This is the default location of trusted root certificates for clients on 
the server. 


Most of the applications on the server are configured to use this 
directory. For example, the LDAP client uses one or more of the 
trusted certificates in this directory when establishing a secure 
LDAP connection. 


The OES installation copies the eDirectory tree CA's certificate 
(eDirCACert.pem) here, thereby establishing the CA as a trusted 
root. 


Everyone (other) has rights to read the contents of this directory. 


/etc/ssl/servercerts The standard location for the server's raw private key 
(serverkey. pem) and certificates (servercert.pem). 


Applications on the server, including OES applications, are 
configured to point to the files in this directory. 


Only root and some specific groups can read the files in this 
directory. 


/etc/opt/novell/certs This directory contains the eDirectory CA certificate in both DER 
and PEM formats for use by applications that need them. The files 
are named SSCert . der and SSCert.pem, respectively. 


For example, when PKI Health Check runs, it installs the CA 
certificate in the Java Keystore in DER format if the certificate 
needs replacing. 
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NetIQ Certificate Server 


The component that generates eDirectory keys and certificates is the NetIQ Certificate Server. 


This certificate server provides public key cryptography services that are natively integrated into 
NetIQ eDirectory. You can use the server to mint, issue, and manage both user and server certificates 
to protect confidential data transmissions over public communications channels such as the Internet. 


For complete information on the NetIQ Certificate Server, see the NetIQ Certificate Server 
Administration Guide. 


Server Self-Provisioning 


When activated, Server Self-Provisioning lets server objects in eDirectory create their own 
certificates. You must activate this option if you want PKI Health Check to automatically maintain your 
server certificates. 


For more information on this feature, see “X.509 Certificate Self-Provisioning" in the NetIQ Certificate 
Server Administration Guide. 


PKI Health Check 


The PKI health check runs whenever the certificate server starts. 


If you have enabled Server Self-Provisioning, the health check routine automatically replaces server 
certificates when any of the following are detected: 

* The certificates don't exist. 

* The certificates have expired. 

* The certificates are about to expire. 

* The IP or DNS information on the certificates doesn't match the server configuration. 


* The Certificate Authority (CA) that issued the certificate is different from the CA currently 
configured. 


For more information on this feature, see “PKI Health Check” in the Net/Q Certificate Server 
Administration Guide. 


23.13 Multiple Trees Sharing a Common Root 


The Organizational CA can be configured to act as a sub-CA. This lets multiple trees share a 
common root certificate. The root certificate can be stored in a physically protected tree. It can also 
integrate with a third-party PKI. For more information, see "Subordinate Certificate Authority" in the 
NetIQ Certificate Server Administration Guide. 


23.2 Setting Up Certificate Management 


Use the information in the following sections to help you set up certificate management as you install 
OES. 


¢ Section 23.2.1, "Setting Up Automatic Certificate Maintenance,” on page 306 


¢ Section 23.2.2, “Eliminating Browser Certificate Errors," on page 306 
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23.2.1 


23.2.2 


Setting Up Automatic Certificate Maintenance 


To set up your server so that HTTPS services use eDirectory certificates, you must specify the Use 
eDirectory Certificates for HTTP Services option while installing or upgrading eDirectory. 


This installs eDirectory keys and certificates on the server, but it does not configure the server to 
automatically replace the certificates when they expire. Automatic maintenance requires that Server 
Self-Provisioning be enabled as follows: 


1 On the server you are configuring, in iManager > Roles and Tasks, click the NetIQ Certificate 
Server > Configure Certificate Authority option. 
2 Click Enable server self-provisioning. 


This causes automatic certificate replacement for the conditions described in “PKI Health Check" 
on page 305. 


IMPORTANT: If you enable Server Self-Provisioning in an OES tree and you have created a 
CRL configuration object but not yet configured any CRL distribution points, the PKI Health 
Check might replace the default certificates every time it runs. 


To avoid this, you can either 


* Finish configuring the CA's CRL capability by creating one or more CRL Distribution Points 
by using iManager's Configure Certificate Authority task. 


or 


* Delete any CRL Configuration objects, for example CN=One - Configuration. CN=CRL 
Container.CN=Security. 


3 If you also want the CA certificate to be replaced if it changes or expires, click the Health Check 
- Force default certificate creation/update on CA change option. 


Eliminating Browser Certificate Errors 


Because the Internet Explorer and Mozilla Firefox browsers don’t trust eDirectory certificate 
authorities by default, attempts to establish a secure connection with OES servers often generate 
certificate errors or warnings. 


These are eliminated by importing the eDirectory tree CA's self-signed certificate into the browsers. 
Complete the instructions in the following sections as applicable to your network. 


+ “Exporting the CA's Self-Signed Certificate" on page 306 
* "Importing the CA Certificate into Mozilla Firefox on Linux” on page 307 
* "Importing the CA Certificate into Mozilla Firefox on Windows" on page 307 


¢ "Importing the CA Certificate into Internet Explorer" on page 307 


Exporting the CA's Self-Signed Certificate 


1 Launch Novell iManager. 
2 Log into the eDirectory tree as the Admin user. 


3 Select the Roles and Tasks menu, then click NetIQ Certificate Server > Configure Certificate 
Authority. 


4 Click the Certificates tab, then select the self-signed certificate. 
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5 Click Export. 


6 Deselect Export Private Key. 


10 
11 


The Export Format changes to DER. 
Click Next. 


Click Save the Exported Certificate and save the file to the local disk, noting the filename and 
location if they are indicated. 


Click Close > OK. 
Find the file you just saved. By default it is usually on the desktop. 
Complete the instructions in the follow sections that apply to your browsers. 


Importing the CA Certificate into Mozilla Firefox on Linux 
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Launch Firefox. 

Click Edit > Preferences > Advanced. 
Select the Encryption tab. 

Click View Certificates. 

Select the Authorities tab, then click Import. 


Browse to the certificate file you downloaded in "Exporting the CA's Self-Signed Certificate" on 
page 306 and click Open. 


Select Trust this CA to identify Web sites, then click OK » OK » Close. 


Firefox now trusts certificates from the servers in the tree. 


Importing the CA Certificate into Mozilla Firefox on Windows 
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Launch Firefox. 

Click Tools » Options » Advanced. 

Select the Encryption tab. 

Click View Certificates. 

Select the Authorities tab, then click Import. 


Browse to the certificate file you downloaded in "Exporting the CA's Self-Signed Certificate" on 
page 306 and click Open. 


Select Trust this CA to identify Web sites, then click OK » OK » OK. 
Firefox now trusts certificates from the servers in the tree. 


Importing the CA Certificate into Internet Explorer 


0 à OO N HP 


Launch Internet Explorer. 

Click Tools > Internet Options. 

Select the Content tab. 

Click Certificates. 

Click Import. 

The Certificate Import Wizard launches. 
Click Next. 
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7 Click Browse, 


8 In the Files of Type drop-down list, select All Files(*.*), browse to the file you downloaded in 
"Exporting the CA's Self-Signed Certificate" on page 306, then click Open. 


9 Click Next. 
10 Click Next. 
Choose the default, Automatically select the certificate store based on the type of certificate. 
11 Click Finish » Yes » OK. 
Internet Explorer now trusts certificates from the servers in the tree. 


23.3 If You Don't Want to Use eDirectory Certificates 


For most organizations, the eDirectory certificate solution in OES is an ideal way to eliminate the 
security vulnerabilities mentioned at the beginning of this chapter. However, some administrators, 
such as those who have third-party keys installed on their servers, probably want to keep their 
installed certificates in place. 


You can prevent the use of eDirectory certificates for HTTPS services by making sure that the option 
to use them is not selected on the first eDirectory configuration page. 
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Adding Services to OES Servers 


You can add services to OES servers after they are installed. 


OES is a set of services that can be either added to an existing server or installed at the same time as 
SUSE Linux Enterprise Server. After OES services are added, we refer to the server as an OES 
server. 


To add OES services to an OES 11 SP3 server, follow the instructions in “Installing or Configuring 
OES 11 SP3 on an Existing Server” in the OES 11 SP3: Installation Guide. 
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B.1 


B.2 


B.2.1 


Changing an OES 11 SP3 Server's 
IP Address 


The instructions in this section let you change the IP address assigned to an OES 11 SP3 server and 
the services it hosts. 

¢ Section B.1, “Caveats and Disclaimers," on page 311 

¢ Section B.2, “Prerequisites,” on page 311 

¢ Section B.3, "Changing the Server’s Address Configuration," on page 312 

¢ Section B.4, "Reconfiguring the OES Services,” on page 312 

¢ Section B.5, "Repairing the eDirectory Certificates," on page 313 

¢ Section B.6, “Completing the Server Reconfiguration,” on page 313 

¢ Section B.7, “Modifying a Cluster," on page 317 

¢ Section B.8, "Reconfiguring Services on Other Servers That Point to This Server," on page 317 


Caveats and Disclaimers 


The instructions in this section assume that only the IP address of the server is changing. They do not 
cover changing the DNS hostname of the server. 


Prerequisites 


* Section B.2.1, "General," on page 311 
¢ Section B.2.2, "iPrint," on page 312 
* Section B.2.3, "Clustering," on page 312 


General 


Before starting the process, be sure you know the following: 


C] Old IP Address: The server's IP address you are changing. 
C] New IP Address: The IP address the server will use after the change. 


C] Old Master Server Address: The IP address of the eDirectory™ server specified when the 
server was installed. 


By default this is also the LDAP server address for OES services installed on the server. 


C] New Master Server Address: The IP address of the eDirectory server that the server should 
point to after the change. The old and new addresses might be the same, but you will be 
required to enter both. 


C] Address of the Subnet for the New IP Address: This is a subnet address, not the subnet 
mask. For example, 192.168.2.0, not 255.255.255.0. 
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B.2.2 


B.2.3 


B.3 


iPrint 
If your network users connect to their printers through the print manager on this server, you might 
want to consider setting up iPrint Client Management (ICM) prior to the change. ICM lets you centrally 


configure the iPrint configuration for your users. For more information, see "Using iPrint Client 
Management' in the OES 11 SP3: iPrint Linux Administration Guide. 


Clustering 


If the server is running Novell Cluster Services: 


1 Check your plans against the prerequisites for clusters in "IP Address Requirements" in the OES 


11 SP3: Novell Cluster Services for Linux Administration Guide. 


2 Follow the instructions in "Changing the IP Addresses of Cluster Resources" in the same guide. 


Changing the Server's Address Configuration 


Log into the server you are reconfiguring as the root user. 


Copy the ipchange.sh script file found in /opt/novell/migration/sbin/serveridswap/ 
scripts/ipchange/nonplugin/ on any OES 11 SP3 server, to the root (/) partition of the OES 
11 SP3 server you are reconfiguring. 


Open the YaST Control Center. 


4 In Network Devices select Network Card. 


Confirm that the Old IP address you listed in Section B.2.1, "General," on page 311 is in fact the 
IP address currently configured for the network card. You need this later in the process. 


Using the various dialog boxes associated with the network card configuration, change the card 
configuration to the new IP address settings you listed in Section B.2.1, "General," on page 311, 
changing each of the following as necessary: 


* |P Address 
* Subnet Mask 
* Router (Gateway) 
Close YaST, then continue with Section B.4, "Reconfiguring the OES Services," on page 312. 


B.4 Reconfiguring the OES Services 


1 Open a terminal prompt. 
2 Atthe terminal prompt, change to the root (/) directory, make the script executable, then run the 


script by entering the following commands: 

cd / 

chmod 744 ipchange.sh 

./ipchange.sh oldip newip oldmasterip newmasterip yes 


where oldip is the old IP address, newip is the new IP address, oldmasterip is the IP address of 
the eDirectory server specified when the server was installed, and newmasterip is the IP address 
of the new eDirectory server identified in Prerequisites above. 


The oldmasterip and the newmasterip can be the same IP address, but they must both be 
included in the command. In the script these are referred to as Remote edir/Idap addresses. 
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IMPORTANT: By default, the master eDirectory address (the eDirectory server specified at 
installation) is also the LDAP server address for OES services installed on the server. 


All services that are configured with the old master address as their LDAP address are 
reconfigured to use the new master address. On the other hand, if you specified a different 
LDAP server address for any of the installed services, and if that LDAP server's address is also 
changing, you need to manually reconfigure the services. 


To see the IP addresses that your services were originally configured to use, use a text editor to 
open the files in /etc/sysconfig/novell/. 


As the script runs, it changes all of the OES configuration files and does everything else that can 
be done automatically to change the IP address for all OES services. 


3 Type the Admin password when prompted. 
You might need to wait a few minutes for the LDAP server to restart. 


4 When the script finishes, restart the server by entering the following command at the terminal 
prompt: 


shutdown -r now 


B.5 Repairing the eDirectory Certificates 


1 Start iManager and click through the warnings about a DNS name mismatch. 


2 In the Login dialog box, type the Admin username and password, type the newmasterip address 
in the Tree field, then click Login. 


3 Click NetIQ Certificate Server > Repair Default Certificates. 


4 In Create Server Certificate » Step 1 of 3, browse to and select the server object for the server 
you are changing. 


5 Click OK » Next. 
6 In Step 2 of 3, click Next. 
7 Click Finish, then close the dialog box. 


B.6 Completing the Server Reconfiguration 


Some OES services require reconfiguration steps to be done manually. 
Complete the steps in the following sections as they apply to the server you are changing. 
¢ Section B.6.1, “QuickFinder,” on page 313 
¢ Section B.6.2, “DHCP,” on page 314 
¢ Section B.6.3, “DSfW,” on page 314 
¢ Section B.6.4, "iFolder," on page 316 
¢ Section B.6.5, “iPrint,” on page 317 
¢ Section B.6.6, "NetStorage," on page 317 


B.6.1 QuickFinder 


1 Ifthe IP address you have changed is listed as an alias for the virtual search server, modify the 
list by deleting the entry for the old address and adding an entry for the new one. 
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For instructions, see “Deleting a Virtual Search Server” and “Creating a Virtual Search Server” in 
the OES 11 SP3: Novell QuickFinder Server 5.0 Administration Guide. 


2 Regenerate the QuickFinder™ index by completing the instructions in see “Creating Indexes” in 
the OES 11 SP3: Novell QuickFinder Server 5.0 Administration Guide. 


B.6.2 DHCP 


1 Make sure the DHCP configuration in eDirectory has a subnet declared for the new IP address. 


For instructions, see “Administering and Managing DHCP” in the OES 11 SP3: Novell DNS/ 
DHCP Services for Linux Administration Guide. 


B.6.3 DSfW 


After the IP address is changed, execute the following instructions: 


1 Open iManager > DNS > Resource Record Management. Select View and Modify Resource 
Record from the drop-down list, then click OK to open the Modify Resource Record window. 


@ Roles and Tasks 


[All Categories] v 


El Resource Record Management 


Warning 


The Scope Setting is not configured. Configure the Scope setting for improved performance. 


Selectthe operation you would like to perform: 


Scope Settings 

DNS Server Management 

Zone Management 

Resource Record Management 


eDirectory Encryption 


iFolder 3.6 * 
X Find: @ Next dE Previous 6? Highlight all [v] Match case 
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2 Select the domain name from the drop-down list, then click Search. This is the domain name 
whose IP address is to be changed (In this example, it is the ‘A’ record). 


Q Roles and Tasks 


[All Categories] v 


El Modify RR Set - Resource Record 


Select Domain Name: 
iptest.com {v 


Select a Host Name: 


@ a 


Select RR Data; 
189.100.8.1 


Resource Record type: 


Scope Settings 
DNS Server Management 
Zone Management 


Y 
4 Next È Previous 4 Highlight all. [v] Match case 


2a Specify the Host Name using the search feature. 


2b Select the '@ ' record and click Modify to change the IP address with the new IP 
address.Select the hostname A record and click Modify to change the IP address with the 
new IP address. 
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D Novell iManager 


(&] Roles and Tasks 
Resource Record Data 


[All Categones) 
* Resource Record Type: A 
Archive Versioning 


Aue ud Lorie IP Address 


Border Manager 199 |20 15 12 
Credential Pr. p 

mirrin eue e Enter Comments: 
DHCP NetWare) IP address is changed for the 'A' resource record type for the 

"IPTest' domain. 
DHCP (OES Linux) 
Directory Administration 
Bone Cancel 

Distributed File Services i meo 
DNS 

Scope Settings 

ONS Server Management 

Zone Management 

Resource Record Management 
eDirectory Encryption 
eDirectory Maintenance 
Fan Out Driver Configuration 
Fan Out Driver Utilities 
File Protocols 
Files and Folders 
Groups 
Help Desk 
Identity Manager 
Identity Manager Utilities 
iFolder 3.6 * 

X Find: . [7] Match case 


2c Click Done. A message indicates that the A record has been successfully modified. 
3 Execute the following steps to rename and move the Reverse Lookup object: 


3a Click iManager > Directory Administration >Rename Object. Search and select the 
Reverse Lookup object from eDirectory. 


3b In the New Object Name field, specify the name of the Reverse Lookup object with the new 
IP address. 


For example: If the object name is 135 103 92 100 in- 

addr arpa.OESSystemObjects.nmfrd, rename it with the new IP address. So if the new IP 
address is 100.92.103.136, the new name of the Reverse Lookup object will be 

136 103 92 100 in-addr arpa.OESSystemObjects.nmfrd. 


3c Click iManager » Directory Administration »Modify Object. Search and select the Reverse 
Lookup object from eDirectory. 


3d From the Other tab, select the valued attribute named dnip:zonedomainname and change 
the value to new name of the Reverse Lookup object. Click Save. 


4 Restart the DNS server. 
5 Change the following: 


5a Update the /etc/resolve.conf file if the server was acting as the DNS server for the 
domain. 


NOTE: If you are performing the IP address change on the Forest Root Domain that is 
hosting the DNS server, make sure you update the /etc/resolve.conf file for all the 
servers referencing this domain controller. 


B.6.4 iFolder 


See "Changing The IP Address For iFolder Services" in the Novell iFolder 3.9.2 Administration Guide. 
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B.6.5 


B.6.6 


B.7 


B.8 


iPrint 
1 Using your favorite text editor, open the following configuration file: 
/etc/opt/novell/iprint/conf/DN_of_PSMipsmd.conf. 
where DN_of_PSM is the name of the Print Manager in eDirectory. 
2 Change any entries that list the old IP address to the new IP address. 
3 Restart the Print Manager by entering the following command at a terminal prompt: 


rcnovell-ipsmd restart 


IMPORTANT: Users that have accessed printers through the modified Print Manager will lose 
access to their printers. 


If you have set up iPrint Client Management on the server, you can automate the reconfiguration 
process. If not, users must reinstall the printers. 


For more information on iPrint Client Management, see “Using iPrint Client Management” in the 
OES 11 SP3: iPrint Linux Administration Guide. 


NetStorage 


1 Ataterminal prompt, enter the following commands: 


/opt/novell/xtier/bin/xsrvcfg -D 
/opt/novell/xtier/bin/xsrvcfg -d newip -c AuthenticationContext 


where newip is the new IP address used throughout this section and AuthenticationContext is 
the eDirectory context for NetStorage users. NetStorage searches the eDirectory tree down 
from this container. If you want NetStorage to search the entire eDirectory tree, specify the 
root context. 


rcnovell-xregd restart 
rcnovell-xsrvd restart 
rcapache2 restart 


Modifying a Cluster 
If the server is running Novell Cluster Services™, complete the instructions in “Modifying the Cluster 


Configuration Information” in the OES 11 SP3: Novell Cluster Services for Linux Administration 
Guide. 


Reconfiguring Services on Other Servers That 
Point to This Server 


If you have services on other servers that point to the old IP address for this server, be sure to 
reconfigure those services to point to the new IP address. 
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Updating/Patching OES 11 SP3 
Servers 


One of a network administrator's biggest challenges is keeping installed software up-to-date on all 
servers and workstations. 


For instructions on setting up the update channel for each OES 11 SP3 server and running the patch 
process, see “Updating (Patching) an OES 11 SP3 Server” in the OES 11 SP3: Installation Guide. 
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Quick Reference to OES User 
Services 


Use Table D-1 as a quick reference for providing your network users with instructions for accessing 
each OES service. 


Table D-1 OES User Services Quick Reference 


services Access Method or URL Notes 


iPrint http://server_ip_address_or_dns_name/ipp 


https://server_ip_address_or_dns_name:443/ipp 


NetStorage For browser access, use: The WebDAV URL is case 
: sensitive. 
http: or https-//server ip or dns/netstorage 
For WebDAV access, use: 


http: or https://server ip or dns/oneNet/NetStorage 


Novell Client 1. Install the Novell Client on a supported Windows 
workstation. 


2. Log in to eDirectory. 


3. Access NCP volumes on NetWare or Linux that you have 
the appropriate file trustee rights to. 


Novell AFP In the Chooser, click Go and browse to the server. 


Novell CIFS Map a network drive in Windows Explorer. 


Create a Web Folder in Internet Explorer. 


Novell https://server ip address or dns namelifolder "ifolder" is the default name, but 
iFolder 3.x this can be customized by the 
Web Access administrator. 

server 

Novell http://server ip address or dns name:8008 Any LUM-enabled user can see 
Remote their directories and files on OES 
Manager servers. 

Samba Map a network drive in Windows Explorer. 


Create a Web Folder in Internet Explorer. 
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OES 11 SP3 Browser Support 


As a general rule, Open Enterprise Server 11 SP3 management tools support the following browsers 
as they are available on the workstation platforms listed in "Client/Workstation OS Support" on 
page 325: 


* 


Mozilla Firefox 64-bit (latest 32- and 64-bit versions) on Windows, Macintosh, and Linux 


* 


Microsoft Internet Explorer 8 (latest version) on Windows 


* 


Microsoft Internet Explorer 9 (runs only on Window 7 SP1 or Windows 7 plus patches) 


* 


Apple Safari (latest version) on Macintosh 


* 


Google Chrome v14.x (latest version) 


Table E-1 provides service-specific links and information about browser support in OES. 


Table E-1 Browser Support in OES 


Management Tool Supported Browser Information Link 


iManager 2.7 + "Using a Supported Web Browser” in the NetiQ® iManager 
Administration Guide 


There are rendering differences for some iManager plug-ins between 
Internet Explorer and Mozilla-based browsers. For example, options that 
are accessed through tabs in IE are sometimes accessed through drop- 
down lists in Firefox. 


Also, iManager plug-ins might not work properly if the highest priority 
Language setting for your Web browser is set to a language other than 
one of iManager's support languages. 


To avoid problems, set the first language preference to a supported 


language. 
iMonitor * "System Requirements" in "Using NetIQ iMonitor" in the NetIQ 
eDirectory 8.8 SP8 Administration Guide 
IP Address Manager (NetWare) Same as Novell Remote Manager 
iPrint * "Supported Browsers for iPrint" in the OES 11 SP3: iPrint Linux 
Administration Guide 
Novell iFolder 3.9.2 * "Web Browser' in the Novell iFolder 3.9.2 Administration Guide 
Novell Remote Manager * "System Requirements" in the OES 11 SP3: Novell Remote 


Manager Administration Guide 


* "System Requirements" in the NW 6.5 SP8: Novell Remote Manager 
Administration Guide 


OpenSSH Manager (NetWare) * "Added Functionality" in the NW 6.5 SP8: OpenSSH Administration 
Guide 
QuickFinder Server Manager * "Managing QuickFinder Server" in the OES 11 SP3: Novell 


QuickFinder Server 5.0 Administration Guide 
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Management Tool Supported Browser Information Link 


TCP/IP Configuration (NetWare) Same as Novell Remote Manager 
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= Client/Workstation OS Support 


As a general rule, Open Enterprise Server 11 SP3 services can be accessed and administered from 
workstations running the following operating systems: 

¢ SUSE Linux Enterprise Desktop 10 SP4 (32- and 64-bit) 

¢ SUSE Linux Enterprise Desktop 11 SP1 (32- and 64-bit) 

¢ SUSE Linux Enterprise Desktop 11 SP2 (32- and 64-bit) 

* Microsoft Windows XP SP3 (32-bit) (in extended support) 

* Microsoft Windows Vista Business SP2 (32- and 64-bit) 


* Microsoft Windows Vista Home Basic SP1 (32- and 64-bit) (iPrint and iFolder clients; non- 
administrative only) 


* Microsoft Windows Vista Ultimate SP2 (32- and 64-bit) 


* Microsoft Windows 7 SP1 Home Premium latest release (32- and 64-bit) (iPrint and iFolder 
clients; non-administrative only) 


* Microsoft Windows 7 SP1 Ultimate latest release (32- and 64-bit) 
* Microsoft Windows 7 SP1 Professional latest release (32- and 64-bit) 
* Macintosh OS X 10.6.7 Snow Leopard (Intel) (32- and 64-bit) (non-administrative only) 


* Macintosh OS X 10.7 Lion (Intel) (32- and 64-bit) (non-administrative, 10.6 feature level only) 
(DHX2 authentication requires enablement in Novell AFP. See "Security and Rights" in theOES 
11 SP3: Novell AFP for Linux Administration Guide) 


+ Windows 2008 R2 Server (iPrint, DSfW, Novell Client) (32- and 64-bit) (non-administrative only) 


For specific information on a given service, consult the service documentation. 


Client/Workstation OS Support — 325 


326  Client/Workstation OS Support 


OES 11 SP3 Service Scripts 


Novell Open Enterprise Server 11 SP3 services rely on specific service scripts located in /etc/ 
init.d. The scripts used by OES 11 SP3, some of which are standard Linux scripts, are listed in 
Table G-1. 


IMPORTANT: For managing OES 11 SP3 services, we strongly recommend using the browser- 
based tools outlined in Section 11.1, "Overview of Management Interfaces and Services," on 

page 139. The browser-based tools provide error checking not available at the service-script level, 
and they ensure that management steps happen in the sequence required to maintain service 


integrity. 


Table G-1 OES Service Scripts in /etc/init.d 


Services Associated with Scripts Script Name Notes 


Apache Web server apache2 The rcapache2 symbolic link, which is by 
default part of the path, can be used to start, 
stop, and restart the Apache Web Server, 
rather than referencing the init script directly. 


Archive and Version Services novell-ark This lets you to start, stop, restart and display 
the status of the Archive and Version Service. 


CASA micasad This is the CASA daemon. 
Distributed File Services novell-dfs This lets you start and stop the VLDB service. 
DNS (NetlQ eDirectory enhanced) novell-named This works in connection with named to 


provide NetIQ eDirectory DNS services. 


DNS (SUSE Linux Enterprise Server 11 named This is the SLES 11 DNS service daemon. 
base) 
Dynamic Storage Technology novell-shadowfs This script starts and stops the shadowfs 


daemon and the kernel module fuse. 


eDirectory ndsd This lets you start and stop eDirectory. It 
executes the /usr/sbin/ndsd binary. 


eDirectory SNMP support ndssnmpsa This lets you start and stop the NDS 
subagent. 
eDirectory LDAP support nldap This lets you load and unload the LDAP library 


that NetIQ eDirectory uses to provide LDAP 
support. It is not actually a service. 


FTP pure-ftpd This is used by the Novell FTP Pattern. 
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Services Associated with Scripts 


iPrint 


Script Name 
cups 
novell-idsd 


novell-ipsmd 


Notes 


These scripts are required by iPrint 


cups lets you to start and stop the cupsd 
daemon that provides spooling and printing 
functionality for local and remote printers and 
is always required, even if printers are 
broadcasted ("Browsing") into (sub)nets. 


novell-ipsmd lets you to start and stop the 
ipsmd daemon that manages printers that are 
assigned under a Print Manager. 


novell-idsd lets you to start and stop the 
idsd daemon that manages drivers that are 
assigned under a Driver Store. 


Linux User Management 


namcd 


nscd 


These daemons are required by Linux User 
Management and work together to ensure 
good performance. 


The namcd daemon caches user and group 
names and IDs from eDirectory, speeding 
subsequent lookups of cached users and 
groups. 


The nscd daemon caches host names and 
addresses. 


Logging 


syslog 


This is used for logging by many OES 
services. 


Novell AFP 


novell-afptcpd 


This script starts and stops the afptcpd 
daemon, which is the Novell AFP service 
daemon 


Novell AFP 


avahi-daemon 


This is used by AFPtcpd to advertise itself. 


Novell CIFS 


novell-cifs 


This script starts and stops the cifsd daemon, 
which is the Novell CIFS service daemon 


NetStorage (actually XTier) 


novell-xregd 


novell-xsrvd 


NetStorage runs inside the novell-xsrvd XTier 
Web Services daemon, and also utilizes 
Tomcat services for certain other functions. 


novell-xregd is the init script for starting and 
stopping XTier's registry daemon. It is part of 
the novell-xtier-base RPM and is 
enabled by default for run levels 2, 3, and 5. 


novell-xsrvd is the init script for starting and 
stopping XTier's Web services daemon. It is 
also part of the novell-xtier-web RPM and 
is enabled for run levels 2, 3, and 5. 


Novell Cluster Services (NCS) 
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adminfs 


This is used for NCS through iManager and 
the command line interface. 


Services Associated with Scripts Script Name Notes 


Novell Cluster Services (NCS) novell-ncs NCS uses some shell scripts and utilities that 
come with the heartbeat package. For 
example, NCS uses a binary called send_arp 
to send out ARP packets when a secondary 
address is bound. 


NCS never runs the heartbeat daemons. In 
fact, NCS and heartbeat are mutually 
exclusive when it comes to execution, and 
heartbeat must always be configured to not 
run (chkconfig heartbeat off) when NCS is 
loaded on the server. 


Novell Remote Manager novell-httpstkd This script runs by default on every OES 
server and enables access to NRM for Linux 
through a browser. 


Use this script followed by the status option to 
view current status. Or use stop, start, or 
restart options to alter the run state of the 
NRM daemon as needed. 


Novell Storage Services novell-nss This script runs by default on every OES 
server with NSS volumes and enables access 
to the NSS runtime environment. 


To see if the NSS kernel modules and NSS 
admin volume are running, enter service 
novell-nss status, /etc/init.d/ 
novell-nss status, or rcnovell-nss 
status at a command prompt. If they are not 
running, use the start option to start them. 
You cannot stop NSS. 


Novell Remote Manager e-mail postfix Novell Remote Manager uses this to send 

notifications notifications as configured. 

NSS Auditing novell-vigil This is the NSS auditing daemon. 

NTP ntp This is the SLES 11 Network Time Protocol 
daemon. 

Patching novell-zmd This is the GUI patch updater daemon. 

QuickFinder novell-tomcat6-32bit This script sets up the Tomcat included with 
SLES 11 specifically to run the QuickFinder 
service. 

Samba nmb This is the Samba NetBIOS naming daemon. 

Samba CIFS support smb This script runs the Samba daemon. 

SFCB CIMOM sfcbd This is used to start the SFCB CIMOM 


daemon, which is an integral part of the 
iManager plug-ins for LUM, Samba, NSS, 
SMS, and NCS. AFP, CIFS, iPrint, and NRM 
also use SFCB. 


Novell Remote Manager on OES gets its 
server health information from CIMOM. 
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Services Associated with Scripts Script Name Notes 

SLP support slpd This lets you start and stop OpenSLP, which is 
a key component for eDirectory and certain 
other services and clients. 

Storage Management Services novell-smdrd This lets you start and stop the SMDR 


daemon precess. It also loads and unloads 
the NSS zapi kernel module used by SMS to 
back up the NSS volumes. 


Tomcat novell-tomcat6 This script sets up the Tomcat included with 
SLES 11 specifically for OES services, such 
as the Welcome pages. 

Zypper zypper This is the Zypper command line daemon. 
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System User and Group 
Management in OES 11 SP3 


This section discusses the users and groups that are used by Open Enterprise Server. Administrative 
users are discussed in Appendix |, “Administrative Users in OES 11 SP3,” on page 357. 

¢ Section H.1, "About System Users and Groups,” on page 331 

¢ Section H.2, “Understanding Proxy Users,” on page 333 

¢ Section H.3, “Common Proxy User,” on page 338 

¢ Section H.4, “Planning Your Proxy Users,” on page 342 

¢ Section H.5, “Implementing Your Proxy User Plan,” on page 351 

* Section H.6, “Proxy Users and Domain Services for Windows,” on page 353 

¢ Section H.7, “System Users,” on page 353 

¢ Section H.8, “System Groups,” on page 354 

¢ Section H.9, “Auditing System Users,” on page 356 


H.1 About System Users and Groups 


“Regular” network users rely on network services. System users and groups support those services. 


Some NetWare administrators are concerned about the number of system users and groups on an 
OES server. They wonder what functions system users perform, why there are “so many" of them, 
and how they impact licensing and network security. 


The answers to these and other questions are found in the sections that follow. 


¢ Section H.1.1, “Types of OES System Users and Groups,” on page 331 
¢ Section H.1.2, “OES System Users and Groups by Name,” on page 332 


H.1.1 Types of OES System Users and Groups 


The users and groups that support OES services can be grouped into the three types shown in Table 
H-1. 


System User and Group Management in OES 11 SP3 331 


H.1.2 


332 


Table H-1 Types of System Users and Groups with Examples 


System User or Group Type 


Proxy User 


Purpose 


Perform very specific service- 
related functions, such as 


* 


Retrieving passwords and 
service attributes 


Writing Service information in 
eDirectory. 


Providing a user ID (uid) that 
the associated service 
daemon uses to run. 


Examples 


* cifsProxyUser-servername 


* LUM Proxy user 


System Group * Facilitate the management of * DHCP 
system users * DNSDHCP 
* Provide access rights to 
service data on the server or 
in the eDirectory tree. 
System User The daemons associated with the + wwwrun 
respective services run as these nous 
* iprint 


USers. 


OES System Users and Groups by Name 


Table H-2 lists the users and groups that OES services depend on and use. 


Table H-2 System User and Groups Listing 


System User or Group Object Type Associated Service 
AfpProxyUser-servername Proxy User AFP 
(Archive Versioning Proxy) Proxy User Archive and Versioning Services 


The install admin is always assigned. 


arkuser System User Archive and Versioning Services 
CifsProxyUser-servername Proxy User CIFS 

cluster name MGT  GRP-context System Group NCS 

DHCP LDAP Proxy Proxy User DHCP 

dhcpd System User DHCP 

DHCPGroup System Group DHCP 

DNS Proxy Proxy User DNS 

DNSDHCP-GROUP System Group DNS 

iFolderProxy Proxy User iFolder 3 

iprint System User iPrint 
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System User or Group 
Iprint (POSIX) 


iprintgrp (eDirectory) 


Object Type 


System Group 


Associated Service 


iPrint 


LUM proxy Proxy User Linux User Management 
(optional) 

named System User DNS 

NetStorage Proxy Proxy User NetStorage 

novell nobody System User CIMOM 

novell nogroup System Group CIMOM 

novixregd System User XTier 

novixsrvd System User XTier 

novixtier System Group XTier 


OESCommonProxy hostname 


System User 


AFP, CIFS, DNS, DHCP, iFolder, 
NetStorage, Clustering (NCS), Linux 
User Management (optional) 


server name-SambaProxy 


Proxy User 


Samba (Novell) 


server name-W-SambaUserGroup 


System Group 


Samba (Novell) 


server nameadmin Proxy User NSS 

WWW System Group Apache 
Tomcat 
QuickFinder 

wwwrun System User Apache 


Understanding Proxy Users 


The subject of OES proxy users is somewhat complex. Therefore, it's a good idea to understand the 


basics before planning your implementation strategy. 


IMPORTANT: The information in the following sections only answers security questions and provides 
general information. It is not intended to be used for the manual configuration of proxy users. 


¢ Section H.2.1, “What Are Proxy Users?,” on page 334 


¢ Section H.2.2, "Why Are Proxy Users Needed on OES?,” on page 334 
¢ Section H.2.3, "Which Services Require Proxy Users and Why?,” on page 334 
¢ Section H.2.4, "What Rights Do Proxy Users Have?,” on page 336 
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H.2.1 What Are Proxy Users? 


As the name implies, proxy users are user objects that perform functions on behalf of OES services. 


Proxy user accounts do not represent people, rather they are eDirectory objects that provide very 
specific and limited functionality to OES services. Generally, this includes only retrieving service- 
related information, such as user passwords and service attributes, but sometimes proxy users also 
write service information in eDirectory. 


Many but not all OES services rely on proxy users to run on Linux (see “Which Services Require 
Proxy Users and Why?” on page 334). Proxy user creation and/or configuration is therefore an 
integral part of configuring OES. 


None of the OES services require that you specify proxy user information during the OES installation, 
but some, such as AFP, DNS/DHCP, CIFS, and iFolder, give you the option to do so. Others, such as 
NCS and NSS create proxy users without user input, while Archive and Versioning Services always 
uses the install admin as its proxy user. 


H.2.2 Why Are Proxy Users Needed on OES? 


OES provides the Novell services that were previously only available on NetWare. 


To make its services available on Linux, Novell had to accommodate a fundamental difference 
between the way services run on NetWare and the way they run on Linux. 


* NetWare Services: The NetWare operating system and eDirectory are tightly integrated. This 
allows the services (NLMs) on NetWare to assume the identity of a server object in eDirectory, 
thus gaining access to the other objects and information in eDirectory that are needed for the 
services to run. 


* OES Services: eDirectory also runs very well on OES, and it provides the infrastructure on 
which OES services rely, but it is not integrated with the Linux operating system. 


On Linux servers there is no concept of a service, such as Apache or iFolder running as a server 
object. Instead, each service runs using a User ID (uid) and a Group ID (gid) that the Linux 
server recognizes as being valid. 


H.2.3 Which Services Require Proxy Users and Why? 
The following services utilize a proxy user. 


Table H-3 Proxy Users Functions Listed by Service 


Associated Service Example Proxy User Name Services That the User Provides 
AFP OESCommonProxy hostname Retrieves AFP user information. 
Or 


AfpProxyUser-servername 


Archive Versioning admin The service runs as this user. 


The install admin is always 
specified. 
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Associated Service 


CIFS 


Example Proxy User Name 
OESCommonProxy_hostname 
Or 


CifsProxyUser-servername 


Services That the User Provides 


Retrieves CIFS user information. 


Clustering (NCS) 


OESCommonProxy_hostname 
Or 


installing admin user 


The clustering administrator and the proxy 
user can be two separate users. For more 
information, see “OES Common Proxy User 
"inthe OES 11 SP3: Novell Cluster Services 
for Linux Administration Guide. 


DHCP OESCommonProxy_hostname Lets the service access DHCP objects in 
eDirectory. 
Or 
DHCP_LDAP_Proxy 
DNS OESCommonProxy_hostname Lets the service access DNS objects in 
eDirectory. 
Or 
DNS_Proxy 
iFolder 3 OESCommonProxy_hostname Connects to the eDirectory server and 


Or 


iFolderProxy 


IMPORTANT: The Common Proxy 


user cannot be used if iFolder is 
running on a cluster node. 


retrieves the following information: 


* modifytimestamp 
* cn 

* mail 

* sn 

* GUID 

* givenName 


* member 


Linux User Management 


OESCommonProxy hostname 


Searches the tree for LUM users. 


Or 
LUM proxy 
NetStorage OESCommonProxy hostname Performs LDAP searches for users logging 
into NetStorage. 
Or 
NetStorage Proxy 
NSS server nameadmin Reads user objects and maintains the 


volume, pool, and other storage system 
objects. 


This user performs some of the same 
functions as proxy users do for other 
services. However, unlike other OES 
services that can share proxy users, NSS 
requires a unique proxy user for each server. 


Samba (Novell) 


server name-SambaProxy 
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H.2.4 What Rights Do Proxy Users 


Have? 


Each OES service’s YaST installation automatically adds the required rights to the proxy user 


specified for the service. 


Unless otherwise specified, each of the following 
eDirectory: 


* Self: 
Login Script: 
Read Write, Not inheritable 
Print Job Configuration: 
Read Write, Not inheritable 
[All Attribute Rights]: 
Read, Inheritable 


+ [Public] 


Message Server: 
Read, Not inheritable 


* [Root] 
Group Membership 


Read, Not inheritable 
Network Address 
Read, Not inheritable 


In addition, each proxy user is granted additional 
Table H-4 Proxy Users Rights 


Associated Service Example Proxy User Name 


AFP AfpProxyUser-servername 


users has the standard set of user rights in 


rights as summarized in Table H-4. 


Default Rights Granted 


* This proxy user has Compare and Read 
rights to the specified AFP user search 
context. 


Archive Versioning Archive Versioning Proxy 


* This user has Read and Write rights to the 
archived volume. 


CIFS CifsProxyUser-servername * This proxy user has Compare and Read 
rights to the specified CIFS user search 
context. 

Clustering (NCS) OESCommonProxy hostname * The proxy user has rights (granted through 

6 membership in the NCS_Management 
r 


installing admin user 
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group) to communicate with eDirectory on 
behalf of the clustering service. 


Associated Service Example Proxy User Name Default Rights Granted 


DHCP DHCP_LDAP_Proxy * No rights are assigned directly, but 
membership in the DHCPGroup, which 
does have assigned rights, provides the 
rights it needs. 


DNS DNS_ Proxy * No rights are assigned directly, but 
membership in the DNS-DHCPGroup, 
which does have assigned rights, provides 
the rights it needs. 


iFolder 3 iFolderProxy ¢ Additional eDirectory rights include: 

[Entry Rights] 
Browse 

LDAP ACL representation: 
1#subtree#iFolderProxy# 

[All Attributes Rights] 
Read, Compare 

LDAP ACL representation: 


3#subtree#iFolderProxy# 


Linux User LUM proxy + If created, this proxy user has Search 
Management rights on Unix Config & Unix Workstation 
Objects. 
NetStorage NetStorage Proxy * Additional eDirectory rights: 
[Entry Rights] 
Browse 


LDAP ACL representation: 
1#subtree#NetStorage_Proxy# 
[All Attributes Rights] 
Read, Compare 
LDAP ACL representation: 


3#subtree#NetStorage_Proxy# 


NSS server_nameadmin * Additional eDirectory rights: 


Supervisor right to the container it was 
created in. 
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Associated Service Example Proxy User Name Default Rights Granted 


Samba (Novell) server_name-SambaProxy * The Universal Password policy associated 


* 


* 


* 


* 


* 


with the Samba users grants this proxy 
user the right to retrieve user passwords. 


* Additional eDirectory rights: 
Rights to itself — Supervisor attribute right 
Rights to the OU where it is located 
All Attribute rights — Read Write 
Entry rights — Browse Create 


samba* — Create Read Write 


Common Proxy User 


Section H.3.1, “Common Proxy User FAQ,” on page 338 
Section H.3.2, "Managing Common Proxy Users," on page 341 


Common Proxy User FAQ 


“Why Would | Want to Specify Common Proxy Users?" on page 338 

“Why Was a Proxy User Added to Novell Cluster Services?" on page 339 

"Which Services Can and Cannot Leverage the Common Proxy User?" on page 339 
"Can a Common Proxy User Service Multiple Servers?" on page 340 

"Can | Change the Common Proxy User Name and Context?" on page 340 

"Can | Assign the Common Proxy User After Services Are Installed?" on page 340 
“What About Upgraded Servers Using a Common Proxy?" on page 340 


"Are There Important Limitations to Keep in Mind?" on page 340 


Why Would I Want to Specify Common Proxy Users? 


The implementation of a common proxy user in OES 11 SP3 addresses the following administrative 
needs: 


* 


Limit the Number of Proxy Users: By default, the number of proxy users in an eDirectory tree 
can quickly become quite large. And even though proxy users don't consume user license 
connections, many administrators are disconcerted by the sheer number of objects to manage 
and track. 


Common proxy users reduce the default number of proxy users from one per service to basically 
one per OES 11 SP3 server. 


Accommodate Password Security Policies: Many organizations have security policies that 
require periodic password changes. Some administrators are overwhelmed by having to 
manually track all proxy users, change their passwords, and restart the affected services after 
every change. 


Common proxy users have their passwords automatically generated by default and changed at 
whatever interval is required. Services are restarted as needed with no manual intervention 
required. 
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* Prevent Password Expiration: When proxy user passwords expire, OES 11 SP3 services are 
interrupted, leading to network user frustration and administrator headaches. 


Automatic password management for common proxy users ensures that services are never 
disrupted because of an expired password. 


Why Was a Proxy User Added to Novell Cluster Services? 


In OES 2 SP3 and later, the eDirectory communication functionality that was previously performed by 
the designated NCS administrator, has been separated out so that it can now be performed by a 
system user if so desired. 


This aligns NCS functionality with other OES services that use proxy (system) users for similar 
functions. For more information, see “OES Common Proxy User " in the OES 11 SP3: Novell Cluster 
Services for Linux Administration Guide. 


Which Services Can and Cannot Leverage the Common Proxy User? 


* "Services That Can Leverage the Common Proxy User" on page 339 
* "Services That Cannot Leverage the Common Proxy User” on page 339 


Services That Can Leverage the Common Proxy User 


The following OES services are automatically configured at install time by default to use your 
Common Proxy User (if specified): 


* Novell AFP 

* Novell CIFS 

* Novell Cluster Services 
* Novell DNS 

* Novell DHCP 

* Novell iFolder 


* Novell NetStorage 


The following OES service can be configured at install time to use your Common Proxy User (if 
specified): 


* Linux User Management (having a proxy user is optional) 


Services That Cannot Leverage the Common Proxy User 


The following services that use proxy users do not leverage the Common Proxy user for the reasons 
listed: 
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Service Reason 


Archive and Version Services This service uses the installing administrator as in the past. The user’s 
credentials are written in the CASA/password files or databases. 


Novell Samba Samba proxy password requirements are not a good fit with the Common 
Proxy user. The user's credentials are written in the CASA/password files 
or databases. 


Novell Storage Services This requires full rights to administer NSS and continues to require a 
system-named user with a system-generated password. 


Can a Common Proxy User Service Multiple Servers? 


NO. 


The common proxy user is designed and configured to be the common proxy for the OES services on 
a single server. Each subsequent new server needs a separate and distinct common proxy created 
for its services. 


Can | Change the Common Proxy User Name and Context? 


The Common Proxy User Name cannot be changed at install time and should not be manually 
changed later. Best practices dictate that each proxy user name reflect the name of the server it is 
associated with. 


The context can be changed at install time. However, eDirectory best practices suggest that object 
locations within the tree reflect the object purpose and scope of influence or function. For this reason, 
the OES install proposes the same context that you specify for the server, for its associated common 
proxy as well. 


Can I Assign the Common Proxy User After Services Are Installed? 


Yes. See "Assigning the Common Proxy to Existing Services" on page 341. 


What About Upgraded Servers Using a Common Proxy? 


You can change the services running on an upgraded OES 11 SP3 server to leverage a Common 
Proxy user. See "Assigning the Common Proxy to Existing Services" on page 341. 


Are There Important Limitations to Keep in Mind? 


Yes. 


iFolder must not be configured to use a Common Proxy on a cluster node. 


System User and Group Management in OES 11 SP3 


H.3.2 


Managing Common Proxy Users 


Common proxy users are eDirectory objects and can therefore be managed via iManager. However, 
after the initial setup is complete, there should generally be no reason for OES administrators to 
directly manage Common Proxy users. 


Use the information in the following sections to understand and implement common proxy user 
management. 

* "Always Use LDAP Port 636 to Communicate with eDirectory” on page 341 

* “Assigning the Common Proxy to Existing Services" on page 341 


+ “Changing Proxy Passwords Automatically" on page 342 


Always Use LDAP Port 636 to Communicate with eDirectory 


The Common Proxy user management scripts communicate with eDirectory using port 636 only. See 
the instructions in “Installing OES 11 SP3 as a New Installation" in the OES 11 SP3: Installation 
Guide). 


Assigning the Common Proxy to Existing Services 


You can assign the common proxy user to any of the services listed in "Services That Can Leverage 
the Common Proxy User” on page 339 using the move to common proxy.sh script on your OES 11 
SP3 server. In fact, if you have upgraded from SP2 and the server doesn't have a common proxy user 
associated with it, simply running the script will create and configure the proxy user and assign the 
services you specify. 
1 In the /opt/novell/proxymgmt/bin folder, run the following command: 
./move to common proxy.sh servicei,service2 
where the service entries are OES service names: novell-cifs, novell-dns, novell-dhcp, 
novell-iFolder, novell-netstorage, novell-lum, and/or novell-nc. 
Example scenario: 
* You have upgraded server myserver, which is located in o=novell and uses IP address 
10.10.10.1, from OES 2 SP3 to OES 11 SP3. 
* The secure LDAP port for the server is 636. 
* Your eDirectory Admin user FQDN is cn=admin,o=novell. 
* Your Admin password is 123abc. 


* You want to create a common proxy user and assign it as the common proxy for the Novell DNS 
and DHCP services running on the server. 


* Therefore, you enter the following commands: 
cd /opt/novell/proxymgmt/bin 
./move to common proxy.sh -d cn-admin,o-novell -w 123abc -i 10.10.10.1 -p 636 - 
s novell-dhcp, novell-dns 


User cn=OESCommonProxy_myserver,o=novell is created with a system-generated password and 
assigned the Common Proxy Policy password policy. The DNS and DHCP services are configured to 
be serviced by the Common Proxy user. 
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Changing Proxy Passwords Automatically 


You can configure your server so that your proxy users are regularly assigned new system-generated 
passwords by doing the following: 
1 Open the file /etc/opt/novell/proxymgmt/proxy users.conf in a text editor. 


2 List the FQDN of each proxy user on the server that you want to automatic password 
management set up for. 


For example you might insert the following entries: 


cn=OESCommonProxyUser_myserver,o=novell 
cn=myproxy,o=novell 


IMPORTANT: Users listed here must not be listed in the proxy_users.conf file on any other 
servers in the tree. 


3 Save the file. 

4 Enter the following commands: 
cd /opt/novell/proxymgmt/bin 
change_proxy_pwd.sh -A Yes 


By default, the crontab job will run every 30 days. 


H.4 Planning Your Proxy Users 


Because of the prominent role played by the proxy users on your OES network, it is important that 
you understand your implementation options and the implications for each option. You can then plan 
an overall proxy user implementation strategy. 


¢ Section H.4.1, “About Proxy User Creation,” on page 342 
¢ Section H.4.2, "There Are No Proxy User Impacts on User Connection Licenses,” on page 347 
¢ Section H.4.3, “Limiting the Number of Proxy Users in Your Tree,” on page 347 


¢ Section H.4.4, "Password Management and Proxy Users,” on page 349 


H.4.1 About Proxy User Creation 


The first step in planning your proxy user implementation strategy is understanding the do’s and 
don'ts of proxy user creation. 


* "Creation Options" on page 342 
¢ "Do Not Manually Configure Proxy Users" on page 346 
* "Avoid Assigning an Admin User As a Proxy User" on page 346 


Creation Options 


Table H-2 presents information about the creation options for each OES proxy user. 
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Table H-5 Proxy User Creation Options 


Associated 
Service 


AFP 


Service Proxy User Name Creation Information 
if Applicable 


OESCommonProxy hostna * Common Proxy User: If a Common Proxy User is 
me specified, AFP will be automatically configured to use 


6 it by default, but you have the option to change this. 
r 


+ No Common Proxy User: If a Common Proxy User 
AfpProxyUser-servername is not specified, the AFP YaST install automatically 
does the following: 


* Creates a proxy user named AfpProxyUser- 
servername in the same context as the server. 


* Generates a password, and stores it in CASA. 


Alternatively, you can modify any of the defaults, 
including the password. Or if you have already created 
a proxy user, you can specify that as well. 


Archive Versioning 


admin The admin account that installs the server is automatically 
assigned as the Archive and Versioning proxy user. This is 
not configurable. Therefore, the new Common Proxy User 
feature doesn't apply. 


CIFS 


Clustering (NCS) 


OESCommonProxy hostna * Common Proxy User: If a Common Proxy User is 
me specified, CIFS will be automatically configured to use 


T it by default, but you have the option to change this. 
r 


* No Common Proxy User: If a Common Proxy User 
CifsProxyUser-servername is not specified, the CIFS YaST install automatically 
does the following: 


* Creates a proxy user named cifsProxyUser- 
servername in the same context as the server. 


* Generates a password, and stores it in either 
CASA or in an encrypted file on the server, 
depending on which option you select. 


Alternatively, you can modify any of the defaults, 
including the password. Or if you have already created 
a proxy user, you can specify that as well. 


OESCommonProxy hostna * Common Proxy User: If the Common Proxy User is 
me specified, it is granted membership in the 

NCS Management group, which enables it to 
communicate with eDirectory on behalf of the 
clustering service. 


Or 


installing admin user 
* No Common Proxy User: If a Common Proxy User 
is not specified, the system automatically uses the 
installing administrator, which is granted membership 
in the NCS Management group, which enables it to 
communicate with eDirectory on behalf of the 
clustering service. 
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Associated 


Service Proxy User Name 


Creation Information 


Service if Applicable 
DHCP OESCommonProxy_hostna Common Proxy User: If a Common Proxy User is 
me specified, DHCP will be automatically configured to 
use it by default, but you have the option to change 
Or : 
this. 
installing administrator No Common Proxy User: If a Common Proxy User 
is not specified, the admin account that installs the 
server is assigned as the DHCP proxy user. 
If you want to assign an alternate user account, it must 
already exist in the tree and be able to access the 
DHCP server object. 
DNS OESCommonProxy hostna Common Proxy User: If a Common Proxy User is 


me 
Or 


installing administrator 


specified, DNS will be automatically configured to use 
it by default, but you have the option to change this. 


No Common Proxy User: If a Common Proxy User 
is not specified, the admin account that installs the 
server is assigned as the DNS proxy user. 


If you want to assign an alternate user account, it must 
already exist in the tree and have Read, Write, and 
Browse rights in the contexts where the DNS Locator, 
Root Server, and Group Object are created. 


Domain Services 
for Windows 
(DSfW) 


OESCommonProxy_hostna 
me 


Or 


DNS 


Common Proxy User: If a Common Proxy User is 
specified, DSfW will be automatically configured to 
use it by default, but you have the option to change 
this. 


No Common Proxy User: If a Common Proxy User 
is not specified, the admin account that installs the 
server is assigned as the DNS proxy user. 


Alternatively, you can modify any of the defaults, 
including the password, or if you have already created 
a proxy user, you can specify that as well. The user 
must have the Read right to the LDAP service. 


iFolder 3 


OESCommonProxy_hostna 
me 


Or 
iFolderProxy 


IMPORTANT: The 
Common Proxy user cannot 
be used if iFolder is running 
on a cluster node. 
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Common Proxy User: If a Common Proxy User is 
specified, iFolder will be automatically configured to 
use it by default, but you have the option to change 
this. 


No Common Proxy User: If a Common Proxy User 
is not specified, the system automatically creates a 
proxy user named iFolderProxy. 


Alternatively, you can modify any of the defaults, 
including the password, or if you have already created 
a proxy user, you can specify that as well. The user 
must have the Read right to the LDAP service. 


Associated 
Service 


Linux User 
Management 


Service Proxy User Name Creation Information 
if Applicable 


OESCommonProxy hostna By default, no LUM proxy user is created. 
me 
* Common Proxy User: If a Common Proxy User is 


Or specified, you have the option of specifying that it be 
used as the LUM proxy user. If you do this, LUM is 


LUM proxy (optional) automatically configured to use it. 


* No Common Proxy User: If you create a proxy user 
for LUM, it will be assigned rights to search the LDAP 
tree for LUM objects. 


If you assign a previously created user as the LUM 
proxy user, it must have the Read right to the LDAP 
service. 


NetStorage 


OESCommonProxy hostna * Common Proxy User: If the Common Proxy User is 
me specified, NetStorage will be configured to use it by 


T default, but you have the option to change this. 
r 


You must manually configure the proxy user with the 
rights specified in NetStorage in Table H-4 on 

page 336. For more information, see "Changing the 
NetStorage Default Configuration " in the OES 11 
SP3: NetStorage Administration Guide for Linux. 


Installing administrator 


* No Common Proxy User: If a Common Proxy User 
is not specified, the system automatically uses the 
installing administrator. 


Alternatively, you can modify any of the defaults, including 
the password, or if you have already created a different 
proxy user, you can specify that as well. The user must 
have the Read right to the LDAP service. 


NSS 


server nameadmin This admin account must have full rights to administer NSS 
and must be unique to each server. The Common Proxy 
User does not apply to NSS. 
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Associated Service Proxy User Name Creation Information 
Service if Applicable 


Samba (Novell) server name-SambaProxy By default, the Samba proxy user is created in the container 
specified as the Base Context for Samba Users and is 
named servername-sambaProxyUser. 


A password is automatically generated for the default proxy 
user, or you specify a different password for this user when 
you configure Novell Samba. 


You can specify another eDirectory user as the Samba 
proxy user. If you do, be aware of the following: 


+ |f you specify a user that doesn't already exist in 
eDirectory, the user account is created and granted 
the necessary rights. You must also specify a 
password for the new user. 


* |f you specify an existing eDirectory user, it is 
assumed that you have already created the user 
account with the necessary rights and no 
modifications are made to the existing user. 


+ If you specify an existing eDirectory user but enter a 
new password, you are prompted to change the 
password for that user. 


Because of the Samba proxy password requirements, the 
Common Proxy User cannot be used with Novell Samba. 


Do Not Manually Configure Proxy Users 


Best practices for most OES installation scenarios dictate that either the Common Proxy user be used 
or that proxy users be created in eDirectory prior to installing OES. For more information, see 
"Common Proxy User" on page 338 and "Limiting the Number of Proxy Users in Your Tree" on 

page 347. 


IMPORTANT: The information in the preceding and following sections only answers security 
questions and provides general information. It is not intended to be used for the manual configuration 
of proxy users. 


Manually created proxy users must be configured for OES-rootservice use only by the YaST based 
install, not manually. 


Avoid Assigning an Admin User As a Proxy User 


We recommend that you always use the special-purpose proxy user accounts described in this and 
the accompanying sections rather than specifying admin users as proxy users. Best practice dictates 
that proxy users have strictly limited functionality that supports only their specific system-level 
responsibilities. Proxy users should not be used for any other purposes. 


Although specifying an admin user as the proxy user appears to be an easy way of setting up OES 
services (and is the install default in some cases if the Common Proxy user option isn't selected), 
there are potential problems. Mixing actual users with system-level functionality always creates some 
risk. 
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The following is a real-life example of risks that can occur when admin users are assigned as proxy 
users: 


Novell Support received a call from an administrator who was getting locked out due to intruder 
detection after changing the administrator password. The lockout happened several times each day 
and seemed to be coming from the OES 11 SP2 servers. The support technician checked LUM and 
all of the services he could think of, and didn’t see the admin credentials anywhere. 


Further investigation revealed that the administrator credentials had been used to install OES 11 SP3 
on multiple servers, and the credentials were also used as the proxy user credentials for some of the 
OES services. Consequently, the credentials were stored in CASA for use when the OES services 
came up. 


Because the Admin password had changed, the CASA credentials had expired and service 
authentication requests were failing, resulting in the intruder detection lockout. 


There Are No Proxy User Impacts on User Connection 
Licenses 


Novell policy dictates that proxy users that function only as proxy users, are simply system users. 
Therefore, proxy users do not consume user connection licenses. 


Limiting the Number of Proxy Users in Your Tree 


The main purposes of the common proxy users are to reduce the number of proxy users in a tree and 
simplify proxy user management. Therefore, the common proxy user is the default in all applicable 
scenarios. 


Table H-6 outlines various alternative options for limiting the number of proxy users in your tree and 
summarizes the security and manageability considerations of each approach. 


Table H-6 Options for Limiting the Number of Proxy Users 


Approach Security Considerations Manageability Considerations 
Per Service per For CIFS, iFolder 3, and This approach requires no proxy user planning. 
Server Samba this is the most secure . . . 
option. By default, the Services are installed at the same time as the OES server. 


passwords for these are 
system-generated and not 
known by anyone. 


This is a good option for small organizations or installations 
where only a few services are used. 


This is not a good option if security policies dictate that all 


Por DUM theres No OHNE passwords must be reset periodically. 


have a system-generated 
password. 


For DNS, DHCP, and 
NetStorage, the install admin’s 
credentials are used by 
default. This has separate 
security implications as 
outlined in “Avoid Assigning 
an Admin User As a Proxy 
User" on page 346. 
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Approach Security Considerations Manageability Considerations 


Per Server This confines any security This requires that a proxy user for the server is created 
vulnerabilities to individual before the server is installed. 
servers and is the scenario for 
which the Common Proxy If the Common Proxy User is not leveraged, then for the 
User was developed. first server in the tree, eDirectory and iManager must be 


installed with the server. After the server installation 
finishes, a proxy user can be created. And finally the 
services can be installed and configured to use the proxy 
user for the server. 


This approach is useful when each OES server is managed 
by a separate administrator, or for enterprises where 
branch users access a server in the branch office. 


Knowing the proxy user password is not required unless 
additional services will be installed or password policies 
require periodic changing, in which cases the install admin 
must know the proxy user’s password. 


Per Partition This confines any security This is useful when users are co-located with the OES 
vulnerabilities to individual servers in a single partition, and cross-partition access of 
partitions. users to services is rare. 


This is a good approach for organizations where eDirectory 
administration is done at a partition level. 


This requires that a proxy user for the first server in the 
partition is created before services are installed in the 
partition. 


The install admin must know the proxy user’s password. 


Per Service This confines any security For example, you might have one proxy user for CIFS, one 
vulnerabilities to individual for DNS/DHCP, one for iFolder, one for iPrint etc. 
services. 


This is useful in trees where the users and servers are not 
It also ensures that proxy user co-located, and different services are administered by 
rights are not overloaded but different administrators. 


are distributed so that there is . . ANE 
a single proxy user for each This requires that a proxy user for the service is created 


type of service before the service is installed in the tree. 


The install admin must know the proxy user's password. 


Per Tree This exposes all OES services A proxy user for the tree must be created before any OES 
and servers in the tree to any services are installed in the tree. 


security vulnerabilities. OO : Ca 
This is suitable for organizations that have 


* Centralized eDirectory administration 


* Users that are not confined to the partition or subtree 
where the OES servers reside, but instead access 
different OES servers from all over the tree. 


The install admin must know the proxy user's password. 


348 System User and Group Management in OES 11 SP3 


H.4.4 


Password Management and Proxy Users 


Proxy user passwords must be stored on the individual OES servers where the services are installed 
because proxy users must be able to log in to eDirectory to perform their required functions. 


* 


* 


* 


* 


* 


"Auto-Generated vs. Manually Specified Passwords" on page 349 
"Passwords Are Stored on the Server" on page 349 

"Avoid Password Expiration Problems" on page 350 

"Changing Proxy Passwords Automatically" on page 351 


"Changing Proxy Passwords Manually" on page 351 


Auto-Generated vs. Manually Specified Passwords 


* 


Auto-Generated Passwords: These offer the highest security because the passwords are 
known only to the system. 


The Common Proxy User, CIFS Proxy User, iFolder Proxy User (YaST calls this the LDAP proxy 
user), and Samba Proxy User all use auto-generated passwords by default. 


Manually Specified Passwords: Although you can change the auto-generated passwords for 
the various proxy users, this is not recommended because it is less secure and requires that 
someone keep track of the passwords. Also, manually specified passwords can easily lead to 
problems, such as service disruption. For a related example of the problems this can cause, see 
"Avoid Assigning an Admin User As a Proxy User" on page 346. 


Passwords Are Stored on the Server 


Of course all proxy user passwords are stored in eDirectory. Table H-7 explains where they are stored 
on the server and how they can be reset if needed. 


Table H-7 Password Storage Locations 


Associated Where the Password Is Stored Locally How the Password Can Be Reset 
Service 
AFP If the service-specific proxy user is used, You can reset the password using iManager 
the password is stored in either CASA or or the CASAcli tool. 
in an encrypted file, depending on the 
configuration option specified during 
service installation. 
Archive and The service-specific password is stored in You must use the script provided by Archive 
Versioning CASA. and Versioning Services to change the 
password on the server. 
CIFS If the service-specific proxy user is used, You can use iManager to reset the password 


the password is stored in either CASA or 
in an encrypted file, depending on the 
configuration option specified during 
service installation. 


in CASA or in the encrypted file, or the 
CASAcli tool if it is stored in CASA. 


Common Proxy 
User 


This password is stored in CASA. 


We recommend that you only use the 
change proxy pwd.sh script to manage 
Common Proxy User passwords. 
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Associated 


Where the Password Is Stored Locally 


How the Password Can Be Reset 


Service 
DHCP The service-specific password is storedin You can set the password using the CASAcli 
CASA. tool. 
DNS If the service-specific proxy user is used, 
the service-specific password is stored in 
CASA if it is available. If CASA is not 
available, it is stored in an encrypted file. 
iFolder 3 If the service-specific proxy user is used, It can be changed either from a terminal 
the service-specific password is stored in prompt using the iFolder command line 
the iFolder store with PKI cryptography. utilities or through the iFolder Admin Console. 
Linux User If the service-specific proxy user is used, This can be changed in iManager through the 
Management the service-specific is stored in CASA. Linux User Management plug-in. 
NetStorage If the service-specific proxy user is used, This can be changed in iManager through the 
the service-specific password is stored in  NetStorage plug-in. 
the XTier registry. 
NSS This password is system-generated at install 


time and cannot be reset. 


Samba (Novell) 


The service-specific password is stored in 
Samba. 


You can change the password by using the 
smbpasswd command. 


IMPORTANT: Although the YaST based install can sometimes be used successfully to reconfigure 
some OES services, Novell neither recommends nor supports that practice. 


Avoid Password Expiration Problems 


Many organizations require that all network users have password policies to enforce regular 
password expiration and change. 


Such policies create complications for the proxy user design. Proxy user passwords are stored on the 
local system to enable the OES services to log in to eDirectory. Every time a password change is 
forced in eDirectory, services stop working until the password is synchronized on the server. 


These problems can be avoided by: 


* Notassigning proxy users a password policy that enforces password expiration. 


* Not using real user credentials for proxy users. See "Avoid Assigning an Admin User As a Proxy 
User" on page 346. 


If password expiration policies cannot be avoided, or a security policy dictates that proxy user 
passwords must be changed periodically, we strongly urge you to implement an automatic password 
change routine as explained in"Changing Proxy Passwords Automatically" on page 351. 


Otherwise you should probably do the following. 


* Ensure that the responsible administrator knows or has a record of each proxy user's password 
and is aware of when each password expires. 


* Before passwords expire, change them in eDirectory and reset them on the server. See the 
information in Table H-7. 
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Changing Proxy Passwords Automatically 


You can configure your server so that your proxy users are regularly assigned new system-generated 
passwords by doing the following: 
1 Open the file /etc/opt/novell/proxymgmt/proxy users.conf in a text editor. 


2 List the FQDN of each proxy user on the server that you want to automatic password 
management set up for. 


For example you might insert the following entries: 


cn=OESCommonProxyUser_myserver.o=novell 
cn=myproxy.o=novell 


IMPORTANT: Users listed here must not be listed in the proxy_users.conf file on any other 
servers in the tree. 


3 Save the file. 
4 Enter the following commands: 
cd /opt/novell/proxymgmt/bin 
change_proxy_pwd.sh -A Yes 
By default, the crontab job will run on the fifteenth (15th) day of each month. 


Changing Proxy Passwords Manually 


The change_proxy_pwd.sh command can also be used to enter a proxy user password. 


IMPORTANT: If you enter a password by using the change_proxy_pwd.sh command, the password 
cannot contain special shell variables ($#, $_, or #?). These characters are interpreted by the shell 
while processing service scripts. 


The workaround is to enter the password within single quotes. For example, you can enter the 
password novell$$ as 'novell$$'. The shell doesn't interpret content within single quotes. 


Implementing Your Proxy User Plan 


The proxy users in OES can be configured at different levels within eDirectory, depending on your 
needs. 


IMPORTANT: If you plan to use the Common Proxy User, you can ignore this note. 


The brief instructions that follow assume that you are installing into an existing tree and not 
leveraging the Common Proxy User. 


For new trees, you will need to install and configure eDirectory on the first server without configuring 
any other OES services. 


After the server is installed and you have created the required proxy users and passwords, then you 
can install the OES services and configure them to use the proxy users you have created. 
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H.5.3 


H.5.4 


The exception to this is installing all services without changing the default configuration settings (see 
Table H-5 on page 343). In most cases a default configuration assigns the install admin as the proxy 
user for the service. 


¢ Section H.5.1, “Tree-Wide Proxy Users,” on page 352 

¢ Section H.5.2, "Service-Specific Proxy Users,” on page 352 
¢ Section H.5.3, "Partition-Wide Proxy Users,” on page 352 

¢ Section H.5.4, "Server-Wide Proxy User,” on page 352 


¢ Section H.5.5, “Individual Proxy User Per-Server-Per-Service,” on page 353 


Tree-Wide Proxy Users 


Do the following: 


1. Create a proxy user in the eDirectory tree where the OES servers will be installed, and set the 
password. 


Consider naming the user to reflect its purpose. For example, name the proxy user 
oes_service_proxy_user. 


2. Use this proxy user and password while configuring the services on all of the OES servers in that 
tree. 


Service-Specific Proxy Users 


Do the following: 
1. Create a proxy user in the eDirectory tree for each type of OES service and set the passwords. 


Consider naming the user to reflect its purpose. For example, name the CIFS proxy user, 
cifs proxy user. 


2. Use these proxy users and passwords appropriately for each of the OES services on all OES 
servers. 


Partition-Wide Proxy Users 


Do the following: 
1. Create one proxy user object per eDirectory partition in the OES tree, and set the password. 


Consider naming the user to reflect its purpose. For example, name the proxy user for the 
London regional office, london office proxy user. 


2. Use this proxy user and password for configuring all of the OES services on all the OES servers 
in that partition. 


Server-Wide Proxy User 


NOTE: The Common Proxy User is specifically designed as the default for this scenario. 
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H.7 


Do the following: 


1. Create one proxy user object per OES server (preferably in the same container as the server) 
and set the password. 


2. Use this proxy user and password as the proxy user for all the services on that particular OES 
server. 


Individual Proxy User Per-Server-Per-Service 


This is the installation default if the Common Proxy User is not utilized as explained in Table H-6, 
“Options for Limiting the Number of Proxy Users,” on page 347. 


Proxy Users and Domain Services for Windows 


Proxy users are not used in DSfW. 


The Services part of the Trusted Computed Base has the rights to read users’ supplemental 
credentials for authentication. A separate Kerberos process reads user passwords and performs the 
authentication. Another event handler in eDirectory creates the supplemental credentials for the user 
whenever the password is changed for that user. 


However, the DNS Proxy User is closely associated with DSfW and can leverage the Common Proxy 
User. 


System Users 


SLES and OES create system users on the local Linux system to provide user IDs (uids) to service 
processes. These users have rights to local files, such as configuration files. 


The services that rely on system users do not have passwords because they don't need to log in. 
They simply use their associated user IDs. 


When NSS is installed, some of these users are moved to eDirectory and LUM enabled. This is done 
to provide access to NSS data, to keep the user IDs the same across multiple servers, and to 
facilitate clustering and shared volumes. 


Table H-2 lists the various system users that are used by OES services. 
Table H-8 System User Purposes 


System User Associated Service Purpose 


or Group 
Name 
arkuser Archive and The service uses PostgreSQL as its metadata store, and PostgreSQL 


Versioning Services must run as a low-privileged user. 


arkuser is that low-privileged user. 
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System User 
or Group 
Name 


dhcpd 


Associated Service Purpose 


DHCP 


DHCP accesses local resources through this or an alternatively 
specified user. 


If the DHCP lease and configuration files are stored on NSS, the user 
must be moved to eDirectory and LUM enabled. 


dhcpd is used by default, but any local user can be used. 


iprint 


iPrint 


The iPrint daemons run as this user. 


If iPrint is moved to NSS, this user is created in eDirectory and the 
local user is removed. 


named 


DNS 


This system user lets DNS access local resources. 


In case of clusters, DNS data is on NSS volume, and so the user has 
to be created in eDirectory as well. 


named is used by default, but any local user can be used. 


novell nobody 


CIMOM 


This user is created by CIMOM but is not currently used. 


novixregd 


XTier 


The XTier Registry Daemon (novell-xregd) runs as this user. 


When NSS is installed on the Linux server, this user is removed from 
the local system and created as LUM-enabled user in eDirectory. This 
is required because it must have access to NSS data, and all NSS 
access is controlled through eDirectory. 


novixsrvd 


XTier 


The XTier Server Daemon (novell-xsrvd) runs as this user. 


When NSS is installed on the Linux server, this user is removed from 
the local system and created as LUM-enabled user in eDirectory. This 
is required because it must have access to NSS data, and all NSS 
access is controlled through eDirectory. 


wwwrun 


Apache 


System Groups 


The Apache daemon runs as this user. 


When NSS is installed on the Linux server, this user is removed from 
the local system and created as LUM-enabled user in eDirectory. This 
is required because it must have access to NSS data, and all NSS 
access is controlled through eDirectory. 


These are groups in the local Linux system that provide a group ID (gid) to an OES process. 


When NSS is installed, some of these groups are moved to eDirectory and LUM enabled. This is 
done to provide access to NSS data and to keep group IDs the same across multiple servers. 


Table H-2 lists the system groups that are used by OES services. 
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System User or Group 
Name 


Associated Service Purpose 


Iprint (POSIX) iPrint The iPrint daemons use the group ID (gid) of this group 

"M : to run. 

iprintgrp (eDirectory) 
If iPrint is moved to NSS, the iprintgrp group is created in 
eDirectory. 

ncsgroup NCS ncsclient is a member of this group. 

novell nogroup CIMOM This group is created by CIMOM but is not currently 
used. 

novixtier XTier The XTier daemons use the group id (gid) of this group to 


run. 


Apache (wwwrun) is a group member because it needs 
XTier socket access. 


When NSS is installed on the Linux server, this group is 
removed from the local system and created in eDirectory. 
This is required because members of this group must 
have access to NSS data, and all NSS access is 
controlled through eDirectory. 


server_name-W- 


Samba (Novell) 


All users granted Samba access are originally assigned 


SambaUserGroup to this group, which disables SSH access for them on the 
server. For more information, see "The Samba 
connection:” on page 152. 
shadow QuickFinder Used by QuickFinder and other Web services. 
WWW Apache Apache (wwwrun) and tomcat (novlwww) use the group 
ID (gid) of this group to run. 
Tomcat 
mE QuickFinder requires that all users who manage the 
QuickFinder service (including the eDirectory Admin user) belong to 


this group. 


User novlxsrvd is in the group because it needs access 
to an Apache domain socket. 


When NSS is installed on the Linux server, this group is 
removed from the local system and created in eDirectory. 
This is required because members of this group must 
have access to NSS data, and all NSS access is 
controlled through eDirectory. 
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H.9 Auditing System Users 


It is the nature of the Linux operating system and the POSIX security model that the root user has 
access to all system information stored on the local server. Due to this fact, some organizations 
choose to monitor the activities of privileged users. 


If you are interested in monitoring such activities, two Novell products can assist you. 


* Novell Sentinel: Universal Password events can be monitored using Novell Sentinel. You 
enable this by modifying the NMAS Login Policy Object. For instructions, see "Auditing NMAS 
Events." Then refer to the Novell Sentinel Documentation (http://www.novell.com/ 
documentation/sentinel6/) for further instructions. 


* Privileged User Manager: This product lets you monitor root user activities on the OES server 
by collecting data, analyzing keystrokes, and creating indelible audit trails. For more information, 
see the Novell Privileged User Manager Documentation (http://www.novell.com/documentation/ 
privilegedusermanager22/index.html). 
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Administrative Users in OES 11 SP3 


Every OES network requires at least one administrative-level user to manage regular network users 
and system users. 


Table |-1 Administrative Users and Groups 


Administrative User or Associated Service Object Type Purpose 
Group 
Admin eDirectory Admin User The eDirectory administrator that 


has all rights to manage the Tree. 
The default is Admin. 


Container Admin eDirectory Admin User These administrators are usually 
responsible for administering within 
a partition or subtree. 


They might be assigned only 
enough rights to install servers, or 
they might be assigned to specific 
roles in iManager. 


admingroup eDirectory Admin Group Provides LUM-enabling for the 
eDirectory administrator. 


iFolderAdmin iFolder 3 Service Admin This is the default iFolder service 
administrator account. By default, 
the Tree Admin is specified. 


QuickFinderAdmin QuickFinder Service Admin This is the QuickFinder 
administrator. 


The default is the Tree Admin. 


TIP: The iManager Role-based-services (RBS) feature lets you delegate administrative 
responsibilities based on administrative roles. For more information, see "Role-Based Services" in the 
NetlQ® iManager Administration Guide. 
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J.1 


J.2 


J.2.1 


Coordinating Password Policies 
Among Multiple File Services 


* Section J.1, “Overview,” on page 359 
* Section J.2, "Concepts and Prerequisites,” on page 359 
* Section J.3, "Examples," on page 360 


* Section J.4, "Deployment Guidelines for Different Servers and Deployment Scenarios," on 
page 363 


Overview 


OES 11 SP3 includes native file services for Windows and Macintosh workstations: 


Macintosh Workstations Windows Workstations 
* Novell AFP * Novell CIFS 
* Novell CIFS * Novell Samba 


* Domain Services for Windows (DSfW) 


DSfW is not classified as a file service, but it includes a 
customized version of Samba that is different from 
Novell Samba. 


Each of these services requires that users who access them have Password policies that meet 
specific requirements. Users can be governed by only one Password policy at a time, so if any of your 
network users require access to more than one of the file services, you need to coordinate the 
Password policies that govern the users to ensure that they can access the different file services. 


Concepts and Prerequisites 


Prerequisites for AFP, CIFS, and Samba access are explained in the following sections: 


¢ Section J.2.1, “Prerequisites for File Service Access,” on page 359 
¢ Section J.2.2, “eDirectory contexts," on page 360 
¢ Section J.2.3, "Password Policies and Assignments,” on page 360 


Prerequisites for File Service Access 


The following are the prerequisites for user access to AFP, CIFS, and Samba services: 


* The eDirectory context under which users are searched for must be configured during service 
configuration. 


* The users need to be governed by Password policies that enable Universal Password for them. 


Coordinating Password Policies Among Multiple File Services 359 


J.2.2 


J.2.3 


J.3 


J.3.1 


* There must be at least one writable replica of NMAS version 3.2 or later having the user object 
trying to access the AFP or CIFS server. NMAS 3.2 is already present on OES 2 servers, and 
NMAS 3.2 is installed on servers running eDirectory 8.8.2. On NetWare servers with a lone 
writable replica of a AFP or CIFS user, NMAS should be upgraded by upgrading to the Novell 
Security Services 2.0.6 on eDirectory 8.7.3 SP10 or eDirectory 8.8.2. 


* The file access services will provide access/visibility to the users as per the trustee rights they 
have on the volumes and files. 


In addition, Samba (on both DSFW and non-DSFW servers) has the following additional 
requirements: 

* The users must be LUM-enabled on the server. 

* The users must be members of a LUM-enabled group on the server holding the volumes. 


Ħ Samba users must be created in a container or partition that has a Samba-qualified password 
policy assigned to it. 


eDirectory contexts 


* AFP: These are the contexts under which the user objects will be searched for during an 
authentication. In a name-mapped (existing tree) install, if the context resides in a DSfW domain, 
the context can be specified either in the domain name format (Active Directory format) or in the 
X.509 format. 


* CIFS: The eDirectory contexts of users can be specified either in the domain name format 
(Active Directory format) or in the X.509 format. 


* Samba: Depends on LUM to search for the user in eDirectory and therefore doesn't require an 
eDirectory context. 


Password Policies and Assignments 


* Samba: Creates a default password policy, but does not attach this policy to any user. 


* DSFW: The password policy in a DSfW environment is modeled after Active Directory Password 
policies. There is a single Password policy at the domain level, and it is configured during 
provisioning. eDirectory allows you to set policies at the user or container level. However, this is 
not recommended in a DSfW environment. 


Examples 


* Section J.3.1, "Example 1: Complex Mixed Tree with a Mix of File Access Services and Users 
from across the Tree," on page 360 


¢ Section J.3.2, "Example 2: Mutually Exclusive Users,” on page 362 


Example 1: Complex Mixed Tree with a Mix of File Access 
Services and Users from across the Tree 
* "Tree Setup" on page 361 


+ “OES/NetWare Servers" on page 361 


* "File Services" on page 361 
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* "User Access to Services” on page 362 
* "Rights Required for Installation and Administration" on page 362 


Figure J-1 Example 1 


sc widget 
idget,dc=com 


9u-prv,o-widget | ou-wal,o-widget 
yu=eng, ou=prv, o=widget IN ou-prv,o-widget 


The WIDGETS_INC tree has the following configuration: 


cn-security 


ou-blr,o-widget 
de=blr, dc=widg et 4 


ou-sales,ou-blr, o=widaat 
de=sales, dc=blr, dc=widget,4 


Tree Setup 


* o=widget, ou=blr,o=widget, and ou=sales,ou=blr,o=widget are eDir partitions as well as name 
mapped domains. 


* ou=prv, o-widget, ou=wal,o=widget, ou=hr,ou=prv,o=widget are partitions (but not domains) 


* ou=end,ou=prv,o=widget refers to the top of a subtree but not a partition. It is a container under 
the ou=prv,o=widget partition. 


OES/NetWare Servers 


+ S1-S6 and S9 are OES servers 
* S7 and S8 are NetWare servers 


File Services 


* S1, S2, S3, and S4 are DSfW servers and serve volumes over Samba and NCP 
* S5 serves its volumes over AFP and NCP 

* S6 serves its volumes over CIFS and NCP 

* S7 serves its volumes over AFP, CIFS, and NCP 

* S8 serves its volumes over NetWare CIFS, NetWare AFP, and NCP 

* S9 serves its volumes over AFP, Samba, and NCP 
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NOTE: Although Novell CIFS and Samba can both be installed on the same machine, they cannot 
run together because of a port conflict. The administrator can configure either Samba or Novell CIFS 
on a single machine, but not both. 


User Access to Services 


Users from all over the tree can access services running on S1-S9. In order for users to be able to 
access AFP/CIFS services, the search contexts (eDirectory contexts) for these services should be 
configured to the subtrees under which those users can be found. 


Rights Required for Installation and Administration 


Installation and configuration in iManager must be done by an OES administrator. This is typically a 
container administrator in eDirectory who has supervisory privileges over the container where the 
server is being installed. This need not be the tree administrator. 


J.3.2 Example 2: Mutually Exclusive Users 


362 


* "File Services" on page 362 
* "Users" on page 363 


In this scenario, the setup of the tree and file services is similar to that in Example 1, but the users are 
local to the context where a particular service is installed. 


Figure J-2 Example 2 


cn-security 


ou=blr, o=widget 
dc-blr, dc-widget/d 


gu-prv,o-widget ^ ou-walo-widget 


ou=sales, ou=blr, o-wjdagt 
dc-sales, dc-blr, dc=widget, 


File Services 


* S1, S2, S3, and S4 are DSfW servers and serve their volumes over Samba and NCP 
* S5, S6, and S7 serve their volumes over AFP and NCP 
+ S8 and S9 serves their volumes over CIFS and NCP 
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J.4 


J.4.1 


Users 


For example, u1 is a user under the container ou=prv,o=widget and is expected to access AFP 
services on S5, S6, and S7. Similarly, u2 is a user under the container ou=wal,o=widget and is 
expected to access CIFS services on S8 and S9. 


Deployment Guidelines for Different Servers and 
Deployment Scenarios 


¢ Section J.4.1, "Deployment Scenario 1: Complex Mixed Scenario with a Mix of File Access 
Services," on page 363 


* Section J.4.2, "Deployment Scenario 2: Mutually /Exclusive Users," on page 365 
* Section J.4.3, "Deployment Scenario 3: Simple deployments,” on page 365 
* Section J.4.4, "Modifying User Password Policies after Samba/DSfW Is Installed," on page 365 


* Section J.4.5, "Adding New User eDirectory Contexts to AFP/CIFS after AFP/CIFS/Samba/ 
DSfW Is Installed.," on page 365 


* Section J.4.6, "Enabling File Access for DSfW Servers Across Domains," on page 366 


Deployment Scenario 1: Complex Mixed Scenario with a Mix 
of File Access Services 


* "First Server in a New Tree (Example1)" on page 363 


* “Subsequent Servers in a Tree (Example 1)" on page 364 


First Server in a New Tree (Example1) 


+ "Not recommended—non-name-mapped (new tree) S1 (DSfW) server” on page 363 
* "Non-DSFW Server" on page 364 


Not recommended—non-name-mapped (new tree) S1 (DSfW) server 


Installation is the same as for the Forest Root Domain (FRD). The tree is named as per domain 
naming standards. Samba is installed as part of DSFW installation. Neither AFP nor Novell CIFS can 
be installed/configured on this server because they are not compatible with the DSFW server. 


In order for users to access NSS volumes on this server through Samba, the users need to fit the 
following constraints: 
* They must be LUM-enabled 


* Cross domain access is necessary for users from outside of the DSFW domain corresponding to 
this server to access the volumes on this server. This can be achieved by adding those contexts 
to the LUM context for the LUM workstation object that represents the domain controller. 


* Winbind translates user principles to UIDs for non-NSS volumes. LUM enabling is not required 
for non-NSS volume access. 
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Non-DSFW Server 


If the first server in the tree is a non-DSFW server, then any combination of AFP, Novell CIFS, or 
Samba can be installed on this server. Because the tree is being newly created, the users, the proxy 
users (system users), and the Password policies will not be present. Use the following procedure for 
installation: 


1 Install and configure the server with eDirectory, NSS, and other core services, but without 
selecting file access services. 
2 Use auto-created common proxy user in eDirectory configuration for the OES services. 
3 Use iManager to create a system user (proxy user) to be used for the OES services. 
4 Use the Yast install to configure the Novell AFP and Novell CIFS services as follows: 
4a Use an auto-generated common proxy user for all the services. 
4b Specify the contexts under which to search for the AFP or CIFS users. 


5 If the AFP/CIFS/Samba user objects are present on NetWare servers, upgrade Novell Security 
Services version 2.0.6 in order to upgrade to NMAS 3.2 on NetWare. 


Subsequent Servers in a Tree (Example 1) 


* "S2, S3, S4" on page 364 
* “S5” on page 364 
* "S6" on page 364 
* "S7" on page 364 
* "S8" on page 364 
* "S9" on page 365 
S2, S3, S4 


Administrators need to decide whether these servers should be installed on a new domain or as 
additional domain controllers during capacity planning and deployment design. Follow the OES 11 
SP3: Domain Services for Windows Administration Guide to deploy S3 and S4 in the tree. 


S5 


1 Use an auto-generated common proxy user for all the services. 


S6 


Use the same procedure as for S5. 


S7 


Use the same procedure as for S5 and S6. 


S8 


* AFP and CIFS on NetWare don't require proxy users or password policies for service access. 
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J.4.2 


J.4.3 


J.4.4 


J.4.5 


* NMAS needs to be upgraded to 3.2+, if this server hosts the only writable replica for a partition 
with AFP or CIFS users. 


* If this NetWare box is migrated to OES11 SP3, AFP and CIFS users should be enabled for 
Universal Password by having a password policy configured. CIFS users need to log in through 
NCP (Novell Client) to synchronize their NDS passwords to the Universal Password. 


S9 


* Use the same procedure as for S5. 


* Either use a common proxy user for all the services (AFP), or allow auto-generation of the proxy 
user/password for each AFP. 


Deployment Scenario 2: Mutually /Exclusive Users 


In some trees, AFP, CIFS, and Samba might be employed, but the users are partitioned in such a way 
that each user has access to AFP, to CIFS or to Samba, but not to all of them. 


S1, S2, S3, S4 
DSfW servers with Samba. All the users are under dc=blr,dc=widgets,dc=com. 


* You can use the default Password policy provided by Domain Services for Windows for all the 
users in this subtree. 


* You can create and use a single proxy user/password under dc=blr,dc=widgets,dc=com for all 
the servers providing Samba. 


Deployment Scenario 3: Simple deployments 


Simple deployments require very little planning. 


One auto-generated common proxy user per server for all services configured on the server is a good 
choice. 


Modifying User Password Policies after Samba/DSfW Is 
Installed 


After a new password policy is assigned to a Samba or DSfW user, rerun the YaST-based 
configuration and select the new Password policies. 


Adding New User eDirectory Contexts to AFP/CIFS after 
AFP/CIFS/Sambal/DSfW Is Installed. 


If users from additional or different eDirectory contexts need to be allowed to access CIFS or AFP, 
rerun the YaST-based configuration and modify or add the required edirectory user contexts. 
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J.4.6 Enabling File Access for DSfW Servers Across Domains 


DSfW requires that users be LUM-enabled to access NSS file services through Samba. For a user to 
access a DSfW server in a different domain, the user needs to be a LUM-enabled user on the other 
server. DSfW provisioning establishes shortcut trust between domains. Users from other domains in 
the forest can access non-NSS volumes as long as they have rights on the resources. 


To achieve this, the context of the partition root for the user object should be added as a search 
context for LUM. This needs to be done in addition to the trustee rights provided to the user (or the 
user's group) as part of file system rights. 
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K Configuration and Log Files 


K.1 


Section K.1, “AFP,” on page 367 

Section K.2, “Archive and Version Services,” on page 368 
Section K.3, “CIFS,” on page 368 

Section K.4, “Common Proxy,” on page 369 

Section K.5, “DFS,” on page 369 

Section K.6, “DHCP,” on page 369 

Section K.7, “DNS,” on page 370 

Section K.8, “Domain Services for Windows,” on page 370 
Section K.9, “Install,” on page 372 

Section K.10, “iFolder Server,” on page 373 

Section K.11, “iPrint,” on page 374 

Section K.12, “Linux User Management,” on page 374 
Section K.13, “Migration Tool,” on page 375 

Section K.14, “NetStorage,” on page 376 

Section K.15, “Novell Cluster Services,” on page 377 
Section K.16, “Novell Linux Volume Manager,” on page 377 
Section K.17, “Novell Storage Services,” on page 378 
Section K.18, “Novell Samba,” on page 378 

Section K.19, “NCP,” on page 379 

Section K.20, “QuickFinder,” on page 379 

Section K.21, “SMS,” on page 380 

Section K.22, “Vigil,” on page 380 


AFP 


Table K-1 AFP Configuration Files 


Path 


List of eDirectory contexts having AFP users 


/etc/opt/novell/afptcpd/afpdircxt.conf 


Description 


/etc/opt/novell/afptcpd/afptcpd.conf 


/etc/opt/novell/afptcpd/afpvols.conf 


AFP server 


List of NSS volumes to export through AFP server 


lopt/novell/afptcpd/Ism/afplinlsmconfig.txt 


Used by installation of AFP NMAS method into 
eDirectory tree. 
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K.2 


K.3 


Table K-2 AFP Log Files 


Path 


/var/opt/novell/log/afptcp.log 


Description 


AFP server run-time 


Archive and Version Services 


Table K-3 Archive and Version Services Configuration Files 


Path 


/etc/opt/novell/arkmanager/conf/arkConfig.xml 


Description 


Server configuration file 


/etc/opt/novell/arkmanager/conf/arkdatadir.conf 


Table K-4 Archive and Version Services Log Files 


Path 


/var/opt/novell/arkmanager/logs/ark.log 


CIFS 


Table K-5 CIFS Configuration Files 


Path 


letc/opt/novell/cifs/cifs.conf 


AV database configuration info. 


Description 


This file is a link to the latest rotatable logs. 


Description 


CIFS server 


/etc/opt/novell/cifs/cifsctxs.conf 


List of eDirectory contexts having CIFS users 


/etc/opt/novell/cifs/cifslogrotate.conf 


/etc/opt/novell/cifs/logrotate.d/novell-cifs-hourly 


Hourly rotation of CIFS log file 


Customized hourly rotation of CIFS log file 


/opt/novell/cifs/share/nmasmthd/ntlm/config.txt 


Table K-6 CIFS Log Files 


Path 


/var/opt/novell/log/cifs.log 


Configuration and Log Files 


Used by installation of CIFS NMAS method into 
eDirectory tree. 


Description 


CIFS server run-time 


K.4 


K.5 


K.6 


Common Proxy 


Table K-7 Common Proxy Configuration Files 


Path 


/etc/opt/novell/proxymgmt/proxy_users.conf 


Table K-8 Common Proxy Log Files 


Path 


/var/opt/novell/log/proxymgmt/pxylist.txt 


Description 


List of proxy users on local systems whose 
password is changed automatically 


Description 


List of proxy users used by services on local 
systems. Created when /opt/novell/proxymgmt/bin/ 
retrieve_proxy_list.sh is run. 


/var/opt/novell/log/proxymgmt/pxymgmt.log 


DFS 


Table K-9 DFS Log Files 


Path 


/var/log/messages 


Description 


DFS Logs 


/var/opt/novell/tomcat6/logs/catalina.out 


iManager Logs 


/var/opt/novell/log/dfs/virpr.log 


DHCP 


Table K-10 DHCP Configuration Files 


Path 


/etc/dhcpd.conf 
Table K-11 DHCP Log Files 


Path 


/var/log/dhcp-ldap-startup.log 


VLDB Repair Logs 


Description 


Description 


/var/log/dhcpd.log 


/var/log/rc.dhcpd.log 


DHCP server failure during startup 
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K.7 


K.8 


DNS 


Table K-12 DNS Configuration Files 


Path 


/etc/opt/novell/named/named.conf 
Table K-13 DNS Log Files 


Path 


/var/opt/novell/log/named_zones. info 


Description 


configuration file loaded from e-directory 


Description 


/var/opt/novell/log/named.run 


Domain Services for Windows 


Table K-14 DSfW Configuration Files 


Path 


letc/krb5.conf 


Description 


kerberos configuration for DSfW. 


letc/krb5.keytab 


Kerberos related link used by samba service. 


letc/nsswitch.conf 


Configuration of Name service switch used by 
DSfW. 


/etc/ntp.conf 


ntp server Configuration for DSfW. 


/etc/opt/novell/eDirectory/conf/nds.conf 


The eDirectory configuration file. 


/etc/opt/novell/eDirectory/conf/ndsmodules.conf 


This file describes the modules to be loaded at 
boot-up into ndsd address space. Specific to DSfW 
it includes samspm. 


/etc/opt/novell/named/named.conf 


/etc/opt/novell/xad/gss/mech 


DNS configuration file. 


gssapi configuration information. 


letc/opt/novell/xad/openldap/Ildap.conf 


Defaults used by LDAP. 


letc/opt/novell/xad/xad.ini 


DSfW related information (domain name,Admin 
details, IP address, DNS context etc). 


letc/opt/novell/xad/xadss.conf 


Domain Services for Windows RPC server 
configuration. 


letc/resolv.conf 


Configuration of DNS client for accessing DNS 
server. 


/etc/rsyncd.conf 


Configuration file for adding directories to be 
synchronized during sysvolsync. 


/etc/smb.conf 
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Samba Configuration for DSfW. 


Path 


letc/ssh/ssh config 


Description 


Used to enable gssapi authentication during 
installation. 


letc/ssh/sshd config 


Used to enable gssapi authentication during 
installation. 


letc/sysconfig/novell/xad2 oes11 


Table K-15 DSfW Log Files 


Path 


/var/log/messages 


File containing parameters specified during YaST 
configuration of DSfW. Used by other components 
like LU 


Description 


For DSfW the keywords which are of importance 
are "xadsd", "smbd", and “winbind”. 


/var/log/samba/log.nmbd 


Logs related to nmbd process (“smbcontrol nmbd 
debug 10” can be used to set the log level to 
maximum.). 


/var/log/samba/log.smbd 


Logs related to smbd process (“smbcontrol smbd 
debug 10” can be used to set the log level to 
maximum.). 


/var/log/samba/log.wb-<DOMAIN> 


domain specific winbindd logs. The DOMAIN refers 
to domain names which winbind is aware of. 


/var/log/samba/log.winbindd 


Logs related to winbindd process (“smbcontrol 
winbindd debug 10” can be used to set the log level 
to maximum.). 


/var/log/samba/log.winbindd-idmap 


Winbind id mapping related logs, that is SID to UID/ 
GID and vice versa. 


lvar/log/YaST2/y2log 


Logging done during YaST configuration and 
Installation of DSfW. 


/var/opt/novell/log/named.run 


DNS logs (Activated using command “rdndctrace 
10”). 


/var/opt/novell/xad/log/domaincntrl.log 


/var/opt/novell/xad/log/healthCheck.log 


Logs related to domaincntrl tool operations. 


Log of server pre-check operations done during 
Installation and Provisioning.(Replica status, DNS 
status, remote server connectivity, purger, 
removing bad address cache etc.). 


/var/opt/novell/xad/log/kdc.log 


Kerberos (xad-krb5kdc) related logs. 


/var/opt/novell/xad/log/kpasswd.log 


Kerberos password server (xad-kpasswdd) related 
logs. 


/var/opt/novell/xad/log/ndsdcinit.log 


More detailed log related to Installation and 
Provisioning of DSfW. 


/var/opt/novell/xad/log/provisioning.log 


/var/opt/novell/xad/log/sysvolsync.log 


Logging done during Provisioning phases of DSfW. 


Log about the sysvol synchronization details. 


/var/opt/novell/xad/run/rpcd.log 


Logs related to rpcd daemon. 
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K.9 Install 


Table K-16 Install Framework Configuration Files 


Path Description 


letc/sysconfig/novell/afp oes11 sp2 


letc/sysconfig/novell/arkman oes11 sp2 


letc/sysconfig/novell/zcmmn oes11 sp2 


letc/sysconfig/novellledir oes11 sp2 


letc/sysconfig/novell/ifldr3 ^ oes11 sp2 


letc/sysconfig/novell/iman oes11 sp2 


letc/sysconfig/novell/iprnt oes11 sp2 


letc/sysconfig/novell/Idap servers 


letc/sysconfig/novell/lum oes11 sp2 


letc/sysconfig/novell/ncpsrvr oes11 sp2 


letc/sysconfig/novell/ncs oes11 sp2 


letc/sysconfig/novell/netstore oes11 sp2 


letc/sysconfig/novell/nss oes11 sp2 


letc/sysconfig/novell/NvICifs oes11 sp2 


/etc/sysconfig/novell/NvIDhcp_oes11_sp2 


/etc/sysconfig/novell/NvIDns_oes11_sp2 


/etc/sysconfig/novell/nvisamba_oes11_sp2 


letc/sysconfig/novell/oes-Idap 


letc/sysconfig/novell/quickfndr oes11 sp2 


letc/sysconfig/novell/schematool 


letc/sysconfig/novell/sms oes11 sp2 


letc/sysconfig/novell/xad oes11 sp2 


Table K-17 Install Framework Log Files 


Path Description 


/var/opt/novell/eDirectory/log/oes_schema.log 
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K.10 


iFolder Server 


Table K-18 iFolder Server Configuration Files 


Path Description 


/opt/novell/ifolder3/bin/SimiasServerSetup.exe.config 
/opt/novell/ifolder3/bin/iFolderAdminSetup.exe.config 
/opt/novell/ifolder3/bin/iFolderWebSetup.exe.config 
/opt/novell/ifolder3/etc/novell-ifolder3.conf 
/opt/novell/ifolder3/etc/simias/Simias.config 
/opt/novell/ifolder3/etc/simias/Simias.log4net 
/opt/novell/ifolder3/etc/simias/apache/default/ifolder_admin.conf 
/opt/novell/ifolder3/etc/simias/apache/default/ifolder_webaccess.conf 
/opt/novell/ifolder3/etc/simias/apache/default/simias_server.conf 
/opt/novell/ifolder3/etc/simias/apache/example.com/ifolder_admin.conf 
/opt/novell/ifolder3/etc/simias/apache/example.com/ifolder_webaccess.conf 
/opt/novell/ifolder3/etc/simias/apache/example.com/simias_server.conf 
/opt/novell/ifolder3/etc/simias/apache/ifolder_apache.conf 
/opt/novell/ifolder3/etc/simias/bill/Simias.config 
/opt/novell/ifolder3/etc/simias/bill/modules/Simias.Server.conf 
/opt/novell/ifolder3/etc/simias/defaults. config 
lopt/novell/ifolder3/libG4/simias/web/update/unix/unix-version.config 
/opt/novell/ifolder3/lib64/simias/web/update/windows/version.config 
/opt/novell/ifolder3/lib64/simias/web/update/mac/mac-version.config 
/etc/apache2/conf.d/ifolder_admin.conf 
/etc/apache2/conf.d/ifolder_web.conf 

/etc/apache2/conf.d/simias.conf 
/opt/novell/ifolder3/lib64/simias/admin/Web.config 
/opt/novell/ifolder3/lib64/simias/web/web.config 


/opt/novell/ifolder3/lib64/simias/webaccess/Web.config 
Table K-19 iFolder Server Log Files 


Path Description 


/var/opt/novell/log/oes/ifolder/adminweb.log 
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IPrint 
Table K-20 iPrint Configuration Files 


Path 


letc/Id.so.conf.d/iprint.conf 


Description 


letc/opt/novell/httpd/conf.d/iprint g.conf 


iPrint configuration file for apache server 


letc/opt/novell/httpd/conf.d/iprint ssl.conf 


iPrint configuration file for apache server 


letc/opt/novell/iprint/conf/idsd-template.conf 


iPrint Driver Store Daemon template configuration 
file 


letc/opt/novell/iprint/conf/ipsmd-template.conf 


iPrint Print Manager Daemon template 
configuration file 


/var/opt/novell/iprint/htdocs/iprint.ini 


Table K-21 iPrint Log Files 


Path 


lopt/novell/iprintmgmt/lib/Logger.properties 


Configuration file for iPrint Windows Client 


Description 


Logging other configurations file 
(java.util.logging.config.file). 


/var/log/apache2/ 


Contains log files for Apache activities 


/var/opt/novell/iManager/nps/WEB-INF/logs/ 
debug.html 


Debug information of iPrint plug-in for iManager 


/var/opt/novell/log/iprintmgmt/IPrintManLogger0.log 


iprintman log file. 


/var/opt/novell/log/oes/iprint/idsd.log 


Contains log messages of iPrint driverstore 


/var/opt/novell/log/oes/iprint/iprint_nss_relocate.log 


Contains logs of iPrint nss relocation script. 


/var/opt/novell/log/oes/iprint/iprint_nss_relocate.log 


Contains log messages of iPrint relocation script 


/var/opt/novell/log/oes/iprint/iprintgw.log 


Contains log messages of iPrint gateway process 


/var/opt/novell/log/oes/iprint/ipsmd.log 


Contains log messages of iPrint manager 


/var/opt/novell/tomcat6/logs/catalina.out 


Log file for iManager activities 


Linux User Management 


Table K-22 LUM Configuration Files 


Path 


/etc/nam.conf 


/etc/nsswitch.conf 


Configuration and Log Files 


Description 


Configuration parameters for lum. 


LUM puts in 'nam' against 'passwd' and 'group' 
entries for the nsswitch plugin. 


K.13 


Table K-23 LUM Log Files 


Path 


/var/lib/novell-lum/nam.log 


Description 


Logging when LUM is configured. 


/var/log/messages 


Logging when namcd is running. This is the default 
location. It can also be configured to a different file 
by setting log-file-location in nam.conf and can 
change the level of logging by using log-level in 
nam.conf. 


lvar/log/ YaST2/y2log* 


Migration Tool 


Table K-24 Migration Tool Configuration Files 


Path 


«project folder»/config.txt 


Table K-25 Migration Tool Log Files 


Path 


«project folder»/data.log 


Logging when LUM is configured. 


Description 
The source NetWare server configuration file. This 


is used to verify nlm versions, code page and other 
details. 


Description 


The output and errors encountered during 
execution of migedir command. 


«project folder»/mignds.log 


The log file created during edirectory dib copy 


«project folder»/migndscheck.log 


The log file created for nds time sync check 


«project folder7/log/afp.log 


This stores the information about the command 
sequence and errors encountered during AFP 
migration. 


«project folder2/log/av.log 


This stores the information about the command 
sequence and errors encountered during AV 
migration. 


«project folder»/log/cifs.log 


This stores the information about the command 
sequence and errors encountered during CIFS 
migration. 


«project folder»/log/debug.log 


This is the developer debug log which stores 
information on the user inputs, outputs, command 
sequence, errors and success of the entire 
migration. 


«project folder»/log/dhcp.log 


This stores the information about the command 
sequence and errors encountered during DHCP 
migration. 
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K.14 


Path 


<project_folder>/log/filesystem.log 


Description 


This stores the information about the command 
sequence and errors encountered during File 
System migration. 


<project_folder>/log/filesystem.success.log 


This stores the list of all successfully migrated files 
during File System migration. 


<project_folder>/log/ftp.log 


This stores the information about the command 
sequence and errors encountered during FTP 
migration. 


<project_folder>/log/ifolder.log 


This stores the information about the command 
sequence and errors encountered during iFolder 
migration. 


<project_folder>/log/iprint.log 


This stores the information about the command 
sequence and errors encountered during iPrint 
migration. 


<project_folder>/log/migration.log 


This stores the information about the command 
sequence and errors encountered during iFolder 
migration. 


<project_folder>/log/ntp.log 


This stores the information about the command 
sequence and errors encountered during NTP 
migration. 


<project_folder>/log/serveridswap.log 


This stores the information about the command 
sequence, errors encountered and success states 
during identity migration. 


/var/opt/novell/log/migration/migfiles.log 


migfiles debug log 


/var/opt/novell/log/migration/mls.log 


mls debug log 


/var/opt/novell/log/migration/migmatchup.log 


migmatchup debug log 


/var/opt/novell/log/migration/maptrustees.log 


maptrustees debug log 


/var/opt/novell/log/migration/migtrustees.log 


migtrustees debug log 


/var/opt/novell/log/migration/maprights.log 


maprights debug logs 


/var/opt/novell/log/migration/migrights.log 


migrights debug log 


/var/opt/novell/log/migration/volmount.log vol 


NetStorage 


Table K-26 NetStorage Configuration Files 


Path 


/etc/opt/novell/netstorage/netstorage.conf 


mount debug log 


Description 


Apache config file 


lopt/novell/netstorage/webapp/WEB-INF/classes/ 
Settings.properties 
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Config file for ssh enabling, zip encoding, mail 
configuration changes. 
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Path 


lopt/novell/netstorage/webapp/WEB-INF/classes/ 
Settings *.properties 


Table K-27 NetStorage Log Files 


Path 


/var/log/messages 


Description 


Same as Settings.properties but language specific. 


Description 


Log file for NetStorage/Xtier 


/var/opt/novell/netstorage/cifsdav.log 


Novell Cluster Services 


Table K-28 NCS Configuration Files 


Path 


/etc/opt/novell/ncs/clstrlib.conf 


Log file for CIFS access. 


Description 


Cluster configuration file 


/etc/opt/novell/ncs/<nodename> 


Table K-29 NCS Log Files 


Cluster configuration for a specific cluster node 


Path Description 

/var/log/messages Cluster event log. Events are viewable in Novell 
iManager by going to Clusters > My Clusters, select 
the cluster, then click Event Log. 

lvar/log/YaST2/y2log Cluster Services configuration log 


/var/opt/novell/install/ncslog 


Cluster Services installation log 


/var/opt/novell/log/ncs/ 
<resource_name>.<load|unload|monitor>.out 


Cluster resource runtime messages that are output 
from the load, unload, or monitor scripts 


Novell Linux Volume Manager 


Table K-30 NLVM Configuration Files 


Path 


letc/opt/novell/nss/nlvm.conf 


Description 


Config file for nlvm. 


Ivarlrun/novell-nss/nlvm.lock 


Local lock file for nlvm. 


Configuration and Log Files 


377 


Table K-31 NLVM Log Files 


Path Description 

lopt/novell/nss/nlvm/ Directory for nlvm storage configuration database 
files. 

/var/opt/novell/log/nss.debug/ Directory for debug files when debug is enabled. 


K.17 Novell Storage Services 


Table K-32 NSS Configuration Files 


Path Description 
/etc/opt/novell/nss/nivm.conf NLVM configuration file 
/etc/opt/novell/nss/nssstart.cfg NSS configuration file 


/etc/opt/novell/nss/trustees.xml 


Table K-33 NSS Log Files 


Path Description 

/var/log/messages All Syslogs from NSS. 
/var/opt/novell/log/nss/debug/* Debug files for NLVM etc. 
/var/opt/novell/log/nss/rav/* Debug file for Rebuild and Verify. 


K.18 Novell Samba 


Table K-34 Novell Samba Configuration Files 


Path Description 


/etc/samba/smb.conf Service configuration 
Table K-35 Novell Samba Log Files 


Path Description 


path: /var/log/samba/novell-samba-config.log Log file generated during execution of novell- 
samba-config.sh script 


378 Configuration and Log Files 


K.19 


K.20 


NCP 


Table K-36 NCP Configuration Files 


Path 


letc/opt/novell/ncp/ncp2nss.audit.conf 


Description of Configuration File 


Rotation of ncp2nss audit log files (/var/opt/novell/ 
log/oes/ncp/ncp2nss.audit.log) 


letc/opt/novell/ncp/ncp2nss.log.conf 


Rotation of NCP2NSS run-time log files (/var/opt/ 
novell/log/oes/ncp/ncp2nss.log) 


letc/opt/novell/ncp/ncpserv.audit.conf 


Rotation of NCP server audit log files (/var/opt/ 
novell/log/oes/ncp/ncpserv.audit.log) of NCP 
Server 


letc/opt/novell/ncp/ncpserv.log.conf 


Rotation of NCP server run-time log files (/var/opt/ 
novell/log/oes/ncp/ncpserv.log) 


letc/opt/novell/ncp2nss.conf 


NCP2NSS 


letc/opt/novell/ncpserv.conf 


Table K-37 NCP Log Files 


Path 


lvar/opt/novell/log/libnrm2ncp.log 


NCP server 


Description of Log File 


Communication between NRM (Novell Remote 
Manager) and NCP Server 


/var/opt/novell/log/ncp2nss.audit.log 


NCP2NSS Audit 


/var/opt/novell/log/ncp2nss.log 


Communication between NCP server and NSS 


/var/opt/novell/log/ncpcon.err 


/var/opt/novell/log/ncpcon.log 


/var/opt/novell/log/ncpserv.audit.log 


NCP Server Audit 


/var/opt/novell/log/ncpserv.log 


QuickFinder 


Table K-38 QuickFinder Configuration Files 


Path 


var/lib/gfsearch/bin/configure-OES.sh 


NCP server 


Description of Configuration File 


Script to configure quickfinder for OES. Run by 
YaST 


/var/lib/gfsearch/bin/create-admin-user.sh 


Script to create admin user in lum 


/var/lib/gfsearch/bin/unconfigure-OES2.sh 


Script to unconfigure quickfinder 


/var/lib/gfsearch/bin/updatetomcat.sh 


Script to customize tomcat for quickfinder 
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Table K-39 QuickFinder Log Files 


Path 


/var/opt/novell/log/oes/qfsearch/access.log 


Description of Log File 


access log 


/var/opt/novell/log/oes/qfsearch/Cluster.log 


cluster synchronization log 


/var/opt/novell/log/oes/qfsearch/Error.log 


SMS 


Table K-40 SMS Configuration Files 


Path 


/etc/opt/novell/sms/smdrd.conf 


error log 


Description of Configuration File 


Configuration of SMDRD daemon 


/etc/opt/novell/sms/tsafs.conf 


Table K-41 SMS Log Files 


Path 


/var/opt/novell/log/sms/smdrd_debug_MYPID.log 


Configuration of TSAFS 


Description of Log File 


Logs for SMDRD calls (related to PID) 


/var/opt/novell/log/sms/tsafs_debug_MYPID.log 


Vigil 
Table K-42 Vigil Configuration Files 


Path 


letc/Id.so.conf.d/novell-libvigil.conf 


Logs of TSAFS calls (related to PID) 


Description 


Path to libvigil shared object 


lusr/share/omc/svcinfo.d/novell-vigil.xml 


Table K-43 Vigil Log Files 


Path 


lvar/log/audit/vlog/clientNamel/ 
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Description XML for NSS auditing engine 


Description of Log File 


Logs for SMDRD calls (related to PID) 


Lit 


Small Footprint CIM Broker (SFCB) 


* Section L.1, “Overview,” on page 381 

* Section L.2, “OES CIM Providers," on page 382 

* Section L.3, “SFCB Is Automatically Installed with OES 11 SP3,” on page 382 

* Section L.4, "Coexistence with NRM and iManager in Earlier Releases," on page 383 
* Section L.5, “SFCB and Linux User Management (LUM),” on page 383 

* Section L.6, "Links to More Information about WBEM and SFCB,” on page 383 


Overview 


OES 11 SP3 services are managed using Web-Based Enterprise Management (WBEM) as proposed 
by the Distributed Management Task Force (DMTF) (http://www.dmtf.org/home). 


The following information describes a few of the components proposed by the DMTF standards. 


+ Web-Based Enterprise Management (WBEM): Is a set of management and Internet standard 
technologies developed to unify the management of enterprise computing environments. WBEM 
provides the ability for the industry to deliver a well integrated set of standards-based 
management tools leveraging emerging Web technologies. The DMTF has developed a core set 
of standards that make up WBEM: 


* Adata model: the Common Information Model (CIM) standard 
* An encoding specification: CIM-XML Encoding Specification 
* Atransport mechanism: CIM Operations over HTTP 


* The Common Information Model (CIM): Is a conceptual information model for describing 
management that is not bound to a particular implementation. This allows for the interchange of 
management information between management systems and applications. This can be either 
agent-to-manager or manager-to-manager communications that provide for distributed system 
management. There are two parts to CIM: the CIM Specification and the CIM Schema. 


* The CIM Specification describes the language, naming, and meta schema. The meta 
schema is a formal definition of the model. It defines the terms used to express the model 
and their usage and semantics. The elements of the meta schema are Classes, Properties, 
and Methods. The meta schema also supports Indications and Associations as types of 
Classes, and References as types of Properties. 


* The CIM Schema provides the actual model descriptions. The CIM Schema supplies a set 
of classes with properties and associations that provide a well understood conceptual 
framework within which it is possible to organize the available information about the 
managed environment. 


* The Common Information Model Object Manager (CIMOM) is a CIM object manager or, more 
specifically, an application that manages objects according to the CIM standard. 


* CIMOM Providers: Are software that performs specific tasks within the CIMOM that are 
requested by client applications. Each provider instruments one or more aspects of the CIMOM's 
schema. 
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The packages contained in the Web-based Enterprise Management pattern in the Primary Functions 
category include a set of basic Novell providers, including some sample providers, and a base set of 
accompanying Novell schemas. 


SLES 11 provides SFCB as default CIMOM and CIM clients. OES 11 uses these because they are 
part of the base OS. 


L.2 OES CIM Providers 


Package (RPM) Description 


novell-afp-providers Used by the Novell AFP iManager plug-in (novell-plugin-afptcpd) to 
read and edit configuration parameters in the afptcpd.conf, 
afpvols.conf and afpdirctx.conf files, and to start or stop the 
AFP server. 


novell-hms-providers Used by Novell Remote Manager (NRM) HMS (Health Monitoring 
Services) in conjunction with the sblim-cmpi-base providers to 
obtain data and status for CPU utilization, process count, physical 
memory, swap memory, virtual memory, and LAN collisions. 


novell-lum-providers Used by the Linux User Management iManager plug-in (novell- 
usermanagement-imanager-plugin) to read lum configuration from 
/etc/nam.conf and lum enabled services information from /etc/ 
pam.d 


novell-nss-admin-session-sfcb-provider A set of Linux Instrumentation for Enterprise (LIFE) providers that 
the Storage iManager plug-in uses to access OES storage 
subsystem through the SFCB CIMOM. The Storage plug-in is 
common to NSS, CIFS, and Archive and Version Services. 


novell-sms-cmpi-provider Reads and modifies the SMS configuration files and is also used 
for administration of NSS, CIFS, NCS, and DFS. 


The providers are compiled and located in the /opt/novell/ 
lib64/sfcb/cmpi folder. 


Novell-samba-cim Used by the Samba iManager plug-in (novell-plugin-samba) to 
read and modify the Samba configuration file (smb . conf) when 
shares are created, deleted, or modified. 


L.3 SFCB Is Automatically Installed with OES 11 SP3 


When you install any OES components that depend on WBEM, SFCB and all of its corresponding 
packages are installed with the components. 
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L.4 


L.5 


L.6 


Coexistence with NRM and iManager in Earlier 
Releases 

The SFCB-based CIM providers in OES 11 SP3 provide the same functionality and management 
capabilities as the WBEM-based CIM providers in earlier NetWare and OES releases. 


iManager plugins and NRM running on NetWare and OES (all versions) work seamlessly with 
services running on NetWare and OES (all versions). 


SFCB and Linux User Management (LUM) 


SFCB is automatically PAM-enabled for LUM as part of OES 11 SP3 installation. Users not enabled 
for LUM cannot use the CIM providers to manage OES. 


Links to More Information about WBEM and SFCB 


For more information about WBEM, CIM, and SFCB, see the following: 


* “Web Based Enterprise Management" (http://www.suse.com/documentation/sles11/ 
book sle admin/data/cha wbem.html) in the SLES 11 documentation (http://www.suse.com/ 
documentation/sles11/index.html). 


+ Web-Based Enterprise Management (WBEM) standard (http://www.dmtf.org/standards/wbem) 
Web site. 


+ Common Information Model (CIM) (http://www.dmtf.org/standards/cim) Web site. 
¢ Small Footprint CIM Broker (SFCB) (http://sblim.wiki.sourceforge.net/Sfcb) Web site. 
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Documentation Updates 


This section summarizes the changes made to this guide since the initial release of Novell Open 
Enterprise Server 11. For links to summaries prior to OES 11 SP3, see the bottom of this page. 


¢ Section M.1, "Summary of Changes—OES 11 SP1,” on page 386 
¢ Section M.2, “Summary of Changes—OES 11,” on page 386 


February 26, 2015 


Section 6.21.5, “NSS Considerations,” on Removed the restriction that NSS pools and volumes must be 
page 128 created on only SCSI or Fibre Channel devices. 


September 3, 2014 


Chapter 6, “Caveats for Implementing OES Removed section on ConsoleOne being supported for only 


11 SP3 Services,” on page 113 GroupWise and .Zenworks. 
ConsoleOne is no longer supported for use with any Novell 
products. 

June 4, 2014 

Section 18.5.8, “Troubleshooting Pure- New section. 

FTPd from Novell,” on page 271 

April 15, 2014 

Table 7-1 on page 130 Removed OES 2 SP2 as a supported upgrade source server. 

February 13, 2014 

"iManager Differences on OES” on New Section. 


page 151 
January 29, 2014 


“What's New or Changed in OES 11 SP1 Added information about the OES 11 SP1 January 2014 Patches 
January 2014 Patches" on page 18 release. 


January 28, 2014 


All Updated for OES 11 the SP2 release. 
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M.1 Summary of Changes—OES 11 SP1 


This section lists only substantive changes. Link fixes and other non-substantive changes are not 


listed. 


June 26, 2013 


“User Specific Home Directory in 
eDirectory” on page 265 and “Default 
Home Directory” on page 265 


April 29, 2013 


Chapter or Section Changed 


Section 1.4.8, “eDirectory,” on page 47 


March 20, 2013 


Chapter or Section Changed 


Clarified configuration requirements. 


Summary of Changes 


New section that mentions the inclusion of the Graphical NDS 
Repair utility in OES 11 SP1. 


This item which was inadvertently omitted during the initial 
documentation release for OES 11 SP1. We apologize for the 
confusion and frustration this has caused. Utility documentation 
is being created and will be posted as soon as possible. 


Summary of Changes 


Section 15.4, “Using the Identity Manager 4.5 Revised section. 


Bundle Edition,” on page 222 


M.2 Summary of Changes—OES 11 


This section lists only substantive changes. Link fixes and other non-substantive changes are not 


listed. 
August 7, 2012 


Chapter or Section Changed 


“Changing Proxy Passwords Automatically” 
on page 342 


July 7, 2012 


Chapter or Section Changed 


“Changing Proxy Passwords Automatically” 
on page 342 
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Summary of Changes 


Modified explanation of when password is changed to reflect 
change coming in next patch release. 


Summary of Changes 


Clarified how often password is changed. 


April 24, 2012 


Chapter or Section Changed Summary of Changes 


Section 1.5.14, “NCP Server," on page 67 Replaced section content. 
April 19, 2012 


Chapter or Section Changed Summary of Changes 


Table E-1 on page 323 Removed the reference to Tomcat Manager, which is a 
NetWare-only tool. 


January 9, 2012 


Section Change 
Section 4.5.2, "Preparing the Installation Media," on Content updated to reflect the addition of the 


page 108 Automated Upgrade CD .iso image file to 
download.novell.com. 
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